CSLLP Secure Software Testing 2

Question 1

What does IAST (Interactive Application Security Testing) combine?

Accepted Answer

Elements of SAST and DAST by instrumenting the application and monitoring it during runtime testing

Answer

Manual code review and automated scanning

Answer

Network scanning and host-based vulnerability assessment

Answer

Threat modeling and penetration testing

Question 2

A test that verifies the application correctly enforces access restrictions (e.g., a regular user cannot access admin functions) is called:

Accepted Answer

Authorization testing

Answer

Functional testing

Answer

Authentication testing

Answer

Availability testing

Question 3

Which document formally authorizes a system to operate in a production environment after security testing and risk acceptance?

Accepted Answer

Authorization to Operate (ATO)

Answer

Security test plan

Answer

Risk assessment report

Answer

System security plan (SSP)

Question 4

What type of security test deliberately overloads a system with requests to determine its breaking point?

Accepted Answer

Stress test / DoS resilience test

Answer

Penetration test

Answer

Fuzz test

Answer

Regression test

Question 5

Which methodology would a security tester use to verify that a web application properly validates session tokens and prevents session hijacking?

Accepted Answer

Session management testing

Answer

Load testing

Answer

Code coverage analysis

Answer

Static code analysis

Question 6

What is the primary purpose of a vulnerability scan in software security testing?

Accepted Answer

To automatically identify known vulnerabilities and misconfigurations in systems and applications

Answer

To actively exploit discovered vulnerabilities

Answer

To review source code for security defects

Answer

To simulate an insider threat scenario