372 Appendix ■ Answers
2 5. A. A test coverage analysis is often used to provide insight into how well testing covered
the set of use cases that an application is being tested for. Source code reviews look at the
code of a program for bugs, not necessarily at a use case analysis, whereas fuzzing tests
invalid inputs. A code review report might be generated as part of a source code review.- C. Testing how a system could be misused, or misuse testing, focuses on behaviors that
are not what the organization desires or that are counter to the proper function of a
system or application. Use case testing is used to verify whether a desired functionality
works. Dynamic testing is used to determine how code handles variables that change over
time, whereas manual testing is just what it implies: testing code by hand. - B. Synthetic monitoring uses emulated or recorded transactions to monitor for
performance changes in response time, functionality, or other performance monitors.
Passive monitoring uses a span port or other method to copy traffic and monitor it in real
time. Log analysis is typically performed against actual log data but can be performed on
simulated traffic to identify issues. Simulated transaction analysis is not an industry term. - C. Path disclosures, local file inclusions, and buffer overflows are all vulnerabilities that
may be found by a web vulnerability scanner, but race conditions that take advantage
of timing issues tend to be found either by code analysis or using automated tools that
specifically test for race conditions as part of software testing. - C. Vulnerability scanners that do not have administrative rights to access a machine
or that are not using an agent scan remote machines to gather information, including
fingerprints from responses to queries and connections, banner information from services,
and related data. CVE information is Common Vulnerability and Exposure information,
or vulnerability information. A port scanner gathers information about what service
ports are open, although some port scanners blur the line between port and vulnerability
scanners. Patch management tools typically run as an agent on a system to allow them to
both monitor patch levels and update the system as needed. Service validation typically
involves testing the functionality of a service, not its banner and response patterns. - B. Emily is using synthetic transactions, which can use recorded or generated
transactions, and is conducting use case testing to verify that the application responds
properly to actual use cases. Neither actual data nor dynamic monitoring is an industry
term. Fuzzing involves sending unexpected inputs to a program to see how it responds.
Passive monitoring uses a network tap or other capture technology to allow monitoring of
actual traffic to a system or application. - B. Real user monitoring (RUM) is a passive monitoring technique that records user
interaction with an application or system to ensure performance and proper application
behavior. RUM is often used as part of a predeployment process using the actual user
interface. The other answers are all made up—synthetic monitoring uses simulated
behavior, but synthetic user monitoring is not a testing method. Similarly, passive
monitoring monitors actual traffic, but passive user recording is not an industry term or
technique. Client/server testing merely describes one possible architecture. - B. Jim should ask the information security team to flag the issue as resolved if he is
sure the patch was installed. Many vulnerability scanners rely on version information