Chapter 6 ■ Security Assessment and Testing (Domain 6) 143
- As part of the continued testing of their new application, Susan’s quality assurance team
has designed a set of test cases for a series of black box tests. These functional tests are
then run, and a report is prepared explaining what has occurred. What type of report is
typically generated during this testing to indicate test metrics?
A. A test coverage report
B. A penetration test report
C. A code coverage report
D. A line coverage report - As part of their code coverage testing, Susan’s team runs the analysis in a nonproduction
environment using logging and tracing tools. Which of the following types of code issues is
most likely to be missed during testing due to this change in the operating environment?
A. Improper bounds checking
B. Input validation
C. A race condition
D. Pointer manipulation - Robin recently conducted a vulnerability scan and found a critical vulnerability on a server
that handles sensitive information. What should Robin do next?
A. Patching
B. Reporting
C. Remediation
D. Validation
6 7. Kathleen is reviewing the code for an application. She first plans the review, conducts an
overview session with the reviewers and assigns roles, and then works with the review-
ers to review materials and prepare for their roles. Next, she intends to review the code,
rework it, and ensure that all defects found have been corrected. What type of review is
Kathleen conducting?
A. A dynamic test
B. Fagan inspection
C. Fuzzing
D. A Roth-Parker review
- Danielle wants to compare vulnerabilities she has discovered in her data center based on
how exploitable they are, if exploit code exists, and how hard they are to remediate. What
scoring system should she use to compare vulnerability metrics like these?
A. CSV
B. NVD
C. VSS
D. CVSS