nerdexam
(ISC)2

CISSP · Question #1015

An application developer receives a report back from the security team showing their automated tools were able to successfully enter unexpected data into the organization's customer service portal, ca

The correct answer is D. Negative. Negative testing involves deliberately inputting invalid, unexpected, or malformed data to verify that an application handles errors gracefully and does not crash or behave insecurely.

Submitted by renata2k· Mar 5, 2026Security Assessment and Testing

Question

An application developer receives a report back from the security team showing their automated tools were able to successfully enter unexpected data into the organization's customer service portal, causing the site to crash. This is an example of which type of testing?

Options

  • ANon-functional
  • BPositive
  • CPerformance
  • DNegative

How the community answered

(57 responses)
  • A
    2% (1)
  • B
    12% (7)
  • C
    5% (3)
  • D
    81% (46)

Why each option

Negative testing involves deliberately inputting invalid, unexpected, or malformed data to verify that an application handles errors gracefully and does not crash or behave insecurely.

ANon-functional

Non-functional testing evaluates aspects like usability, reliability, and scalability rather than focusing on how the system handles invalid or unexpected input data.

BPositive

Positive testing verifies that the application behaves correctly when given valid, expected inputs - the opposite of what occurred here, where unexpected data was used to cause a crash.

CPerformance

Performance testing measures how a system behaves under load, stress, or specific workloads, not how it handles invalid or unexpected input data.

DNegativeCorrect

Negative testing is specifically designed to input data outside the expected parameters - such as unexpected or malicious inputs - to identify how an application responds to invalid conditions. The security team's automated tools sending unexpected data that caused the portal to crash is a classic example of negative testing, often associated with fuzzing or boundary/edge-case testing. This type of testing reveals vulnerabilities in input validation and error handling.

Concept tested: Negative testing with unexpected input validation

Source: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/README

Topics

#Software testing#Negative testing#Vulnerability assessment

Community Discussion

No community discussion yet for this question.

Full CISSP Practice