After the departure of a developer under unpleasant circumstances, the company is concerned about the security of the software to which the developer has access. Which of the following is the BEST way to ensure security of the code following the incident?
A. Hire an external red tem to conduct black box testing
B. Conduct a peer review and cross reference the SRTM
C. Perform white-box testing on all impacted finished products
D. Perform regression testing and search for suspicious code
How to PASS CAS-004 in First Attempt?FULL Printable PDF and Software. VALID exam to help you PASS. |
 |
C.
“White Box – In this type of testing, the tester is given a lot, if not all information about a system or application. This can include credentials, architecture documents, source code, and anything else that might be helpful for the tester. In this type of test, it can be thought of that the tester has been fully briefed on the target they are testing, and would likely even have insider knowledge at this point that most attackers wouldn’t have; even those that might be an insider threat or former employee. This type of testing can be useful when you really want the tester to be as diligent as possible for maximum coverage.”
C. concerned about the security of the software to which the developer has access.. BEST way to ensure security of the code.
A. Hire an external red team to conduct black box testing (He is an insider. He knows the environment and code. So not a black box test)
B. Conduct a peer review and cross reference the SRTM (To see if the code fulfilled requirements? No.)
C. Perform white-box testing on all impacted finished products (Yes. He knows inside out about the environment and code. Definitely run white box test)
D. Perform regression testing and search for suspicious code (No. It need a pen test conducted.)
B
Peer review could be construed to mean have the entire team scrutinize the code, looking for back doors, logic bombs, etc. – while using the SRTM as a guide seems prudent.
C. Administrators are testing the code based on their existing knowledge of it. – a back-door find this way would be like an easter-egg hunt.- White-box testing is done on compiled, running program with knowledge of where pitfalls may be. I think peer review of the source code is more thorough.
I would go with D. Perform regression testing and search for suspicious code
Definitely not A or B.
I see why you would say D, I am thinking C.
From the Official CASP Book: White Box Testing: …”The tester fully understands the function and design of the systems and networks before they carry out the test. The goal of this type of test is to simulate an inside attacker with high-level knowledge and understanding of the environment they are attacking.”
White box testing would simulate the inside attack perspective that the company is concerned about from the software developer. This also takes into account the assumption that he only has access to finished products that are available publicly per answer C “impacted finished products”