380 Appendix ■ Answers
8 8. C. Static analysis is the process of reviewing code without running it. It relies on
techniques like data flow analysis to review what the code does if it was run with a given
set of inputs. Black and gray box analyses are not types of code review, although black
box and gray box both describe types of penetration testing. Fuzzing provides unexpected
or invalid data inputs to test how software responds.- C. A manual code review, which is performed by humans who review code line by line,
is the best option when it is important to understand the context and business logic in the
code. Fuzzing, dynamic, and static code review can all find bugs that manual code review
might not but won’t take the intent of the programmers into account. - C. Misuse case diagrams use language beyond typical use case diagrams, including
threatens and mitigates. Threat trees are used to map threats but don’t use specialized
language like threatens and mitigates. STRIDE is a mnemonic and model used in threat
modeling, and DREAD is a risk assessment model. - C. The most important first step for a penetration test is getting permission. Once
permission has been received, planning, data gathering, and then elements of the actual
test like port scanning can commence. - A. Sqlmap is a dedicated database vulnerability scanner and is well suited for Kevin’s
purposes. Nmap is a network port scanner that would not provide relevant results. Nessus
is a network vulnerability scanner and may detect issues with a database but would not be
as effective as sqlmap. Sqlthrash does not exist. - C. A TCP scan that sets all or most of the possible TCP flags is called a Christmas tree, or
Xmas, scan since it is said to “light up like a Christmas tree” with the flags. A SYN scan
would attempt to open TCP connections, whereas an ACK scan sends packets with the
ACK flag set. There is no such type of scan known as a TCP flag scan. - D. Nmap is a very popular open-source port scanner. Nmap is not a vulnerability scanner,
nor is it a web application fuzzer. While port scanners can be used to partially map a
network, and its name stands for Network Mapper, it is not a network design tool. - C. Vulnerability scanners cannot detect vulnerabilities for which they do not have a test,
plug-in, or signature. Signatures often include version numbers, service fingerprints, or
configuration data. They can detect local vulnerabilities as well as those that require
authentication if they are provided with credentials, and of course, they can detect service
vulnerabilities. - C. The Common Vulnerabilities and Exposures (CVE) dictionary provides a central
repository of security vulnerabilities and issues. Patching information for applications and
software versions are sometimes managed using central patch management tools, but a
single central database is not available for free or public use. Costs versus effort is also not
what CVE stands for. - A. Specifications are the documents associated with the system being audited.
Specifications generally include policies, procedures, requirements, and designs. - D. Privilege escalation occurs during the attack phase of a penetration test. Host and
service information gathering, as well as activities like DUMPSTER diving that can
provide information about the organization, its systems, and security, are all part of the
discovery phase.