148 Chapter 6 ■ Security Assessment and Testing (Domain 6)
8 7. Ben’s manager expresses concern about the coverage of his scan. Why might his manager
have this concern?
A. Ben did not test UDP services.
B. Ben did not discover ports outside the “well-known ports.”
C. Ben did not perform OS fingerprinting.
D. Ben tested only a limited number of ports.- What technique relies on reviewing code without running it?
A. Fuzzing
B. Black box analysis
C. Static analysis
D. Gray box analysis - Saria needs to write a request for proposal for code review and wants to ensure that the
reviewers take the business logic behind her organization’s applications into account.
What type of code review should she specify in the RFP?
A. Static
B. Fuzzing
C. Manual
D. Dynamic - What type of diagram used in application threat modeling includes malicious users as well
as descriptions like mitigates and threatens?
A. Threat trees
B. STRIDE charts
C. Misuse case diagrams
D. DREAD diagrams - What is the first step that should occur before a penetration test is performed?
A. Data gathering
B. Port scanning
C. Getting permission
D. Planning - Kevin is a database administrator and would like to use a tool designed to test the security
of his databases. Which one of the following tools is best suited for this purpose?
A. sqlmap
B. nmap