CISSP Question #1145: Real Exam Question with Answer & Explanation

Question

Which of the following is the BEST method to validate secure coding techniques against injection and overflow attacks?

Options

• AScheduled team review of coding style and techniques for vulnerability patterns
• BUsing automated programs to test for the latest known vulnerability patterns
• CThe regular use of production code routines from similar applications already in use
• DEnsure code editing tools are updated against known vulnerability patterns

Explanation

Validating secure coding techniques against injection and overflow attacks requires dynamic and thorough testing methods that can keep pace with evolving threats. Automated testing tools provide the most comprehensive and up-to-date coverage for identifying these vulnerability patterns.

Common mistakes.

• A. Scheduled manual team reviews are inconsistent, subject to human error, and cannot scale to detect the full breadth of injection and overflow vulnerability patterns as effectively or thoroughly as automated tools.
• C. Reusing production code routines from other applications introduces inherited vulnerabilities and does not validate or test for injection or overflow weaknesses - it can actually propagate existing flaws into new projects.
• D. Updating code editing tools (such as IDEs with linting plugins) provides limited, surface-level hints about coding style but does not perform comprehensive security testing against the full range of known injection and overflow attack patterns.

Concept tested. Automated security testing for injection and overflow vulnerabilities

Reference. https://owasp.org/www-community/Vulnerability_Scanning_Tools

No community discussion yet for this question.