A majority of security defects and vulnerabilities in software are related to security functionality.

True

False

QUESTION 2

Security testing needs to make use of both white hat and black hat concepts and approaches.

True

False

QUESTION 3

It is easy to test whether a feature works or not.

True

False

QUESTION 4

It is easy to show whether or not a system is secure enough under malicious attack.

True

False

QUESTION 5

Passing a software penetration test provides very little assurance that an application is immune to attack.

True

False

QUESTION 6

Penetration testing is driven by an outside->in approach.

True

False

QUESTION 7

Consider the following scenario. A set of reformed hackers is hired to carry out a penetration test. The hackers discover a few problems in the software, usually relating to vulnerabilities in base technology such as an application framework or a basic misconfiguration problem. The hackers report their findings.

a.

None of the parties involved know whether the most critical security risks have been uncovered

b.

The software will be secure after the problems discovered by the reformed hackers are fixed

c.

This scenario shows the security of the software has been properly tested.

d.

There are likely still remaining security flaws in the software.

QUESTION 8

1. Which of the following are true?

a.

Penetration testing is best suited to probing configuration problems and other environmental factors that deeply impact software security

b.

It is more effective if a penetration test is conducted with knowledge of risk analysis results

c.

Penetration testing results can be used to declare security victory

d.

Penetration testing is conducted on a system in its final production environment.

QUESTION 9

1. Which of the following are true?

a.

a. Effective use of tools can relieve some of the work of a tester and thus drive down cost.

b.

a. Tool output can be used as metrics to track progress over time in meeting a security goal.

c.

a. Tools can be used as a replacement for review by a skilled security analyst.

d.

a. Tools should be used in penetration testing.

QUESTION 10

To benefit most from penetrating testing, what should the software developers do?

a.

Use the penetration testing results to carry out a root-cause analysis of the identified vulnerabilities.

b.

Declare the software as secure after fixing the issue found by the penetration testing tool.

c.

Use penetration testing results to measure progress against a goal.

d.

Devise mitigation strategies to address the identified vulnerabilities as well as similar vulnerabilities in the software.