Ch15

Question 1

Which one of the following factors should not be taken into consideration when planning a security testing schedule for a particular system?

A. Sensitivity of the information stored on the system
B. Difficulty of performing the test
C. Desire to experiment with new testing tools
D. Desirability of the system to attackers

Answer 1

C Desire to experiment with new testing tools should not influence production testing schedule

Question 2

What type of network discovery scan only follows the first two steps of the TCP handshake?

A. TCP connect scan
B. Xmas scan
C. TCP SYN scan
D. TCP ACK scan

Answer 2

C. TCP SYN scan because this is the best answer since there isn’t an answer TCP SYN/ACK

Question 3

Badin Industries runs a web application that processes e-commerce orders and handles credit card transactions. As such, it is subject to the Payment Card Industry Data Security Standard (PCI DSS). The company recently performed a web vulnerability scan of the application and it had no unsatisfactory findings. How often must Badin rescan the application?

A. Only if the application changes
B. At least monthly
C. At least annually
D. There is no rescanning requirement.

Answer 3

PCI DSS requires rescan the application at least annually and after any change in the application

Question 4

Users of a banking application may try to withdraw funds that don’t exist from their account. Developers are aware of this threat and implemented code to protect against it. What type of software testing would most likely catch this type of vulnerability if the developers have not already remediated it?

A. Misuse case testing
B. SQL injection testing
C. Fuzzing
D. Code review

Answer 4

Misuse case or (abuse case testing) testing identifies known ways that an attacker might exploit a system and tests explicitly to see if those attacks are possible in the proposed code

Question 5

user interface testing includes assessments of what interfaces

Answer 5

both graphical user interfaces (GUIs)

and command‐line interfaces (CLIs) for a software program.

Question 6

Takes previous input values from actual operation of the software and manipulates it to create fuzzed input

Answer 6

mutational (Dumb) testing

Question 7

Develops data models and creates new fuzzed input based on an understanding of the types of data used by the program.

Answer 7

Generational (Intelligent) Fuzzing

Question 8

Three types of interfaces should be tested during the software testing process

Answer 8

Application Programming Interface
User Interfaces
Physical Interfaces

Question 9

what are log reviews particularly used for

Answer 9

Administrative activities/abuses

Question 10

what is the default level of access given by an Administrator

Answer 10

NO ACCESS