Chapter 6: Security Assessment and Testing (Domain 6) 377
6 7. B. Fagan testing is a detailed code review that steps through planning, overview,
preparation, inspection, rework, and follow-up phases. Dynamic tests test the code in a
real runtime environment, whereas fuzzing is a type of dynamic testing that feeds invalid
inputs to software to test its exception-handling capabilities. Roth-Parker reviews were
made up for this question.
- D. The Common Vulnerability Scoring System (CVSS) includes metrics and calculation
tools for exploitability, impact, how mature exploit code is, and how vulnerabilities can be
remediated, as well as a means to score vulnerabilities against users’ unique requirements.
NVD is the National Vulnerability Database, CSV is short for comma-separated values,
and VSS (Visual SourceSafe) is an irrelevant term related to software development rather
than vulnerability management. - D. Network-enabled printers often provided services via TCP 515 and 9100, and have
both nonsecure and secure web-enabled management interfaces on TCP 80 and 443. Web
servers, access points, and file servers would not typically provide service on the LPR and
LPD ports (515 and 9100). - A. Nikto, Burp Suite, and Wapiti are all web application vulnerability scanners, tools
designed specifically to scan web servers and applications. While they share some
functionality with broader vulnerability scanners and port scanning tools, they have a
narrower focus and typically have deeper capabilities than vulnerability scanners. - The correct order of steps in a Fagan inspection is:
D. Planning
C. Overview
E. Preparation
B. Inspection
F. Rework
A. Follow-up- B. Metasploit is an exploitation package that is designed to assist penetration testers. A
tester using Metasploit can exploit known vulnerabilities for which an exploit has been
created or can create their own exploits using the tool. While Metasploit provides built-in
access to some vulnerability scanning functionality, a tester using Metasploit should
primarily be expected to perform actual tests of exploitable vulnerabilities. Similarly,
Metasploit supports creating buffer overflow attacks, but it is not a purpose-built buffer
overflow testing tool, and of course testing systems for zero-day exploits doesn’t work
unless they have been released. - D. Susan is conducting interface testing. Interface testing involves testing system or
application components to ensure that they work properly together. Misuse case testing
focuses on how an attacker might misuse the application and would not test normal cases.
Fuzzing attempts to send unexpected input and might be involved in interface testing,
but it won’t cover the full set of concerns. Regression testing is conducted when testing
changes and is used to ensure that the application or system functions as it did before the
update or change.