CSSLP Domain 5 – Secure Software Testin

Question 1

Question

Answer 1

Model Answer

Question 2

1. What is the main purpose of security testing in the SDLC?

Answer 2

To ensure that software functions as intended while preventing, detecting, and mitigating vulnerabilities.

Question 3

2. What is the difference between functional and non-functional testing?

Answer 3

Functional testing verifies software features; non-functional testing checks performance, scalability, and security attributes.

Question 4

3. What is the goal of white-box testing?

Answer 4

To test internal logic, structure, and code paths with full knowledge of the source code.

Question 5

4. What is the goal of black-box testing?

Answer 5

To test system behavior and outputs without any knowledge of internal code or structure.

Question 6

5. What is gray-box testing?

Answer 6

A hybrid approach where testers have partial knowledge of internal workings to simulate insider threats or limited-access attackers.

Question 7

6. What is regression testing?

Answer 7

Re-running functional and security tests after code changes to ensure no new vulnerabilities or bugs were introduced.

Question 8

7. What is fuzz testing?

Answer 8

An automated testing technique that sends large volumes of random or malformed input to detect vulnerabilities or crashes.

Question 9

8. What is fault injection testing?

Answer 9

Introducing deliberate faults or errors into a system to evaluate how well it handles failures and recovers securely.

Question 10

9. What is penetration testing?

Answer 10

A simulated attack designed to exploit vulnerabilities and assess the effectiveness of security controls.

Question 11

10. What are the main stages of a penetration test?

Answer 11

Reconnaissance, Scanning, Exploitation, and Reporting.

Question 12

11. What is the difference between scanning and penetration testing?

Answer 12

Scanning identifies potential vulnerabilities; penetration testing attempts to exploit them.

Question 13

12. What is a test harness?

Answer 13

A testing framework that defines test data, tools, and configurations used to evaluate software performance and security.

Question 14

13. What is the OSSTMM?

Answer 14

Open Source Security Testing Methodology Manual — a peer-reviewed framework for performing standardized security testing.

Question 15

14. What is SSE-CMM?

Answer 15

Systems Security Engineering Capability Maturity Model — used to assess and improve an organization’s security engineering processes.

Question 16

15. What are test data management best practices?

Answer 16

Avoid using production data, anonymize sensitive information, and protect test data with the same security controls as production data.

Question 17

16. Why is attack surface validation important?

Answer 17

It confirms that all exposed entry points are identified and protected according to design and threat models.

Question 18

17. What is crypto validation testing?

Answer 18

Verification that cryptographic modules and algorithms meet standards such as FIPS 140-3 for secure implementation.

Question 19

18. What is the purpose of simulation testing?

Answer 19

To recreate real-world environments and user conditions for evaluating security, performance, and reliability.

Question 20

19. How can security defects be prioritized?

Answer 20

By using risk scoring models like CVSS (Common Vulnerability Scoring System) that rank vulnerabilities by impact and exploitability.

Question 21

20. What is the difference between a defect, flaw, and vulnerability?

Answer 21

Defect: coding error; Flaw: design weakness; Vulnerability: exploitable condition due to a defect or flaw.

Question 22

21. What is continuous testing?

Answer 22

Automated integration of tests into CI/CD pipelines to detect issues early in the development process.

Question 23

22. What is a bug bar?

Answer 23

A predefined threshold for acceptable levels of security defects before release; defines when a build can pass or fail testing.

Question 24

23. Why is independent verification and validation (IV&V) important?

Answer 24

It ensures unbiased assessment of software security by a third party not involved in development.

Question 25

24. What are common challenges in security testing?

Answer 25

Incomplete threat models, lack of skilled testers, insufficient test coverage, and time/resource constraints.

Question 26

25. What are synthetic transactions?

Answer 26

Simulated user actions used to monitor system performance and detect issues in production-like environments.