CISSP · Question #1041
A company hired an external vendor to perform a penetration test ofa new payroll system. The company's internal test team had already performed an in-depth application and security test of the system
The correct answer is A. Failure to perform interface testing. The external vendor discovered that sensitive data was transmitted unencrypted between the payroll system and tax processing systems, indicating the integration points between systems were not properly tested.
Question
A company hired an external vendor to perform a penetration test ofa new payroll system. The company's internal test team had already performed an in-depth application and security test of the system and determined that it met security requirements. However, the external vendor uncovered significant security weaknesses where sensitive personal data was being sent unencrypted to the tax processing systems. What is the MOST likely cause of the security issues?
Options
- AFailure to perform interface testing
- BFailure to perform negative testing
- CInadequate performance testing
- DInadequate application level testing
How the community answered
(17 responses)- A65% (11)
- B12% (2)
- C6% (1)
- D18% (3)
Why each option
The external vendor discovered that sensitive data was transmitted unencrypted between the payroll system and tax processing systems, indicating the integration points between systems were not properly tested.
Interface testing specifically validates the communication channels, data formats, encryption, and security controls between interconnected systems. The internal team tested the payroll application in isolation but failed to test the interfaces and data flows to external systems like tax processors, which is why unencrypted transmissions between systems went undetected until the penetration test.
Negative testing involves sending invalid, unexpected, or malformed inputs to verify a system handles errors correctly, which addresses input validation vulnerabilities rather than unencrypted data transmission between integrated systems.
Performance testing evaluates system behavior under load conditions such as throughput and response time, and has no bearing on whether data is encrypted during transmission to external systems.
Application-level testing was explicitly stated to have been performed adequately by the internal team, and the vulnerability was at the integration/transmission layer between systems rather than within the application itself.
Concept tested: Interface testing between integrated systems and data security
Source: https://www.isaca.org/resources/isaca-journal/issues/2016/volume-5/interface-testing-in-systems-development
Topics
Community Discussion
No community discussion yet for this question.