- What can be used to ensure that software meets the customer’s operational requirements?
(a) Integration testing
(b) Installation testing
(c) Acceptance testing
(d) Unit testing
- What term describes a black-box testing method that seeks to identify and test all unique combinations of software inputs?
(a) Combinatorial software testing
(b) Dynamic testing
(c) Misuse case testing
(d) Static testing
Use the following scenario to answer questions 3–5:
You are the CISO (chief information security officer) of a large bank and have hired a company to provide an overall security assessment, as well as complete a penetration test of your organization. Your goal is to determine overall information security effectiveness. You are specifically interested in determining if theft of financial data is possible. Your bank has recently deployed a custom-developed, three-tier web application that allows customers to check balances, make transfers, and deposit checks by taking a photo with their smartphone and then uploading the check image. In addition to a traditional browser interface, your company has developed a smartphone app for both Apple iOS and Android devices. The contract has been signed, and both scope and rules of engagement have been agreed upon. A 24/7 operational IT contact at the bank has been made available in case of any unexpected developments during the penetration test, including potential accidental disruption of services. - Assuming the penetration test is successful, what is the best way for the penetration testing firm to demonstrate the risk of theft of financial data?
(a) Instruct the penetration testing team to conduct a thorough vulnerability assessment of the server containing financial data.
(b) Instruct the penetration testing team to download financial data, redact it, and report accordingly.
(c) Instruct the penetration testing team that they may only download financial data via an encrypted and authenticated channel.
(d) Place a harmless “flag” file in the same location as the financial data, and inform the penetration testing team to download the flag.
- You would like to have the security firm test the new web application, but have decided not to share the underlying source code. What type of test could be used to help determine the security of the custom web application?
(a) Secure compiler warnings
(b) Fuzzing
(c) Static testing
(d) White-box testing
- During the course of the penetration test, the testers discover signs of an active compromise of the new custom-developed, three-tier web application. What is the best course of action?
(a) Attempt to contain and eradicate the malicious activity
(b) Continue the test
(c) Quietly end the test, immediately call the operational IT contact, and escalate the issue
(d) Shut the server down
Answers in comments
My CISSP Notes 
Q1: (c) Acceptance testing
Q2: (a) Combinatorial software resting
Q3: (d) Harmless flag file (Option A relates to vulnerability scanning rather than pen testing, B & C are dangerous and could involve unauthorised access of regulated data, such as health data records)
Q4: (b) Fuzzing (The other options are all static methods that require access to source code)
Q5: (c) End the test & escalate (Incident handling is not the pen tester’s responsibility)
LikeLike