nerdexam
ExamsCAS-002Questions#117
CompTIA

CAS-002 · Question #117

CAS-002 Question #117: Real Exam Question with Answer & Explanation

The correct answer is C: White box testing performed by the development and security assurance teams.. White box testing performed by the internal development and security assurance teams satisfies all CISO requirements: it is low-risk, fully scriptable, maximally thorough, and leverages the team's intrinsic knowledge of the codebase.

Question

The Chief Information Security Officer (CISO) of a small bank wants to embed a monthly testing regiment into the security management plan specifically for the development area. The CISO's requirements are that testing must have a low risk of impacting system stability, can be scripted, and is very thorough. The development team claims that this will lead to a higher degree of test script maintenance and that it would be preferable if the testing was outsourced to a third party. The CISO still maintains that third-party testing would not be as thorough as the third party lacks the introspection of the development team. Which of the following will satisfy the CISO requirements?

Options

  • AGrey box testing performed by a major external consulting firm who have signed a NDA.
  • BBlack box testing performed by a major external consulting firm who have signed a NDA.
  • CWhite box testing performed by the development and security assurance teams.
  • DGrey box testing performed by the development and security assurance teams.

Explanation

White box testing performed by the internal development and security assurance teams satisfies all CISO requirements: it is low-risk, fully scriptable, maximally thorough, and leverages the team's intrinsic knowledge of the codebase.

Common mistakes.

  • A. Grey box testing by an external consulting firm contradicts the CISO's explicit requirement for internal introspective testing and introduces the outsourcing the CISO rejected; it also provides only partial knowledge, limiting thoroughness.
  • B. Black box testing by an external firm provides no internal code knowledge and is outsourced, failing both the introspection requirement and the CISO's directive against third-party testing.
  • D. Grey box testing provides only partial knowledge of the system internals, making it inherently less thorough than white box testing and therefore insufficient to meet the CISO's maximum thoroughness requirement.

Concept tested. White box testing for internal security assurance

Reference. https://csrc.nist.gov/publications/detail/sp/800-115/final

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CAS-002 Practice