Official (ISC)² CSSLP - Chapter 6: Secure
Software Testing Domain UPDATED
ACTUAL Exam Questions and CORRECT
Answers
Black-box Testing - CORRECT ANSWER - A test methodology that assumes no
knowledge of the internal structure and implementation detail of the assessment object.
Reference: csrc.nist.gov/glossary
May also be referred to as zero-knowledge testing and is best suited for uncovering certain types
of vulnerabilities in software.
Functional Testing - CORRECT ANSWER - Type of software testing that remains focused
on validating the functional behavior of the software, and the assurance that the software meets
its functional specifications and requirements.
Fuzz Testing (Software) - CORRECT ANSWER - Type of testing that is best suited for
uncovering certain types of memory-related issues/vulnerabilities that may be present in software
(e.g., memory leaks, buffer overflows) by subjecting the entry points of the software to invalid or
random input types, ranges, and input lengths. It is normally conducted using automated testing
tools and techniques.
Nonfunctional Testing - CORRECT ANSWER - Type of software testing that remains
focused on validating the nonfunctional aspects of the software, including its performance,
usability, scalability, recoverability, and security.
Penetration Testing (Software) - CORRECT ANSWER - Type of security testing that is
conducted from the perspective of the attackers and targets the application while it is running in
its production or production-like environment. Penetration testing represents an intrusive testing
method that can potentially cause harm. Pen testing is generally conducted using automated and
manual testing techniques. Addressing rules of engagement is the first step in every penetration
test activity. Penetration tests follow a specific methodology.
Software Testing Domain UPDATED
ACTUAL Exam Questions and CORRECT
Answers
Black-box Testing - CORRECT ANSWER - A test methodology that assumes no
knowledge of the internal structure and implementation detail of the assessment object.
Reference: csrc.nist.gov/glossary
May also be referred to as zero-knowledge testing and is best suited for uncovering certain types
of vulnerabilities in software.
Functional Testing - CORRECT ANSWER - Type of software testing that remains focused
on validating the functional behavior of the software, and the assurance that the software meets
its functional specifications and requirements.
Fuzz Testing (Software) - CORRECT ANSWER - Type of testing that is best suited for
uncovering certain types of memory-related issues/vulnerabilities that may be present in software
(e.g., memory leaks, buffer overflows) by subjecting the entry points of the software to invalid or
random input types, ranges, and input lengths. It is normally conducted using automated testing
tools and techniques.
Nonfunctional Testing - CORRECT ANSWER - Type of software testing that remains
focused on validating the nonfunctional aspects of the software, including its performance,
usability, scalability, recoverability, and security.
Penetration Testing (Software) - CORRECT ANSWER - Type of security testing that is
conducted from the perspective of the attackers and targets the application while it is running in
its production or production-like environment. Penetration testing represents an intrusive testing
method that can potentially cause harm. Pen testing is generally conducted using automated and
manual testing techniques. Addressing rules of engagement is the first step in every penetration
test activity. Penetration tests follow a specific methodology.
