nerdexam
(ISC)2

CISSP · Question #884

As part of the security assessment plan, the security professional has been asked to use a negative testing strategy on a new website. Which of the following actions would be performed?

The correct answer is D. Enter only numbers in the web form and verify that the website prompts the user to enter a valid. Negative Testing Explained Why D is correct: Negative testing (also called "invalid input testing") involves deliberately entering unexpected, invalid, or incorrect data to verify that the system handles errors gracefully. Entering numbers into a form field that expects text (lik

Submitted by haru.x· Mar 5, 2026Security Assessment and Testing

Question

As part of the security assessment plan, the security professional has been asked to use a negative testing strategy on a new website. Which of the following actions would be performed?

Options

  • AUse a web scanner to scan for vulnerabilities within the website.
  • BPerform a code review to ensure that the database references are properly addressed.
  • CEstablish a secure connection to the web server to validate that only the approved ports are open.
  • DEnter only numbers in the web form and verify that the website prompts the user to enter a valid

How the community answered

(56 responses)
  • A
    13% (7)
  • B
    4% (2)
  • C
    7% (4)
  • D
    77% (43)

Explanation

Negative Testing Explained

Why D is correct: Negative testing (also called "invalid input testing") involves deliberately entering unexpected, invalid, or incorrect data to verify that the system handles errors gracefully. Entering numbers into a form field that expects text (like a name field) checks whether the application properly rejects bad input and prompts the user - this is the essence of negative testing.

Why the distractors are wrong:

  • A is incorrect because web scanning is a vulnerability assessment technique, not negative testing - it checks for known weaknesses, not invalid input handling.
  • B is incorrect because a code review is a static analysis technique focused on examining source code quality, not testing the application with invalid inputs.
  • C is incorrect because validating open ports is a network/configuration audit task, which tests what should be present (positive validation), not invalid scenarios.

Memory Tip

Think of negative testing as "being a bad user on purpose" - you're doing the opposite of what the system expects. If a form asks for a name, you enter numbers; if it asks for a date, you enter letters. The goal is to make sure the system fails safely. The word "negative" = invalid/wrong inputs, not hacking or vulnerabilities.

Topics

#Negative testing#Input validation#Web application security#Security testing methodologies

Community Discussion

No community discussion yet for this question.

Full CISSP Practice