D385 ITEC 2034 Software Security &
Testing
Objective Assessment Review
(Questions & Solutions)
2025
©2025
, Question 1
A development team is tasked with simulating a real-world cyber attack
against a web application to evaluate its defense mechanisms. Which
approach best describes a “Red Team” exercise?
- A. Running automated vulnerability scans daily
- B. Conducting white‑box testing using source code analysis
- C. Orchestrating a covert, multi‑vector attack that includes social
engineering, exploit attempts, and lateral movements
- D. Executing a standard penetration test using off‑the‑shelf tools
ANS: C
Rationale: A Red Team exercise is an adversary simulation where
trained testers use multiple techniques (including social engineering and
covert exploits) to mimic a real attacker’s behavior, thereby providing a
realistic measure of the organization’s security posture.
---
Question 2
Which technique involves sending random, malformed, or unexpected
inputs to a software application to detect crashes, memory leaks, or
unhandled exceptions?
- A. Fuzz testing
- B. Unit testing
- C. Regression testing
- D. Stress testing
ANS: A
Rationale: Fuzz testing (or fuzzing) injects random or invalid input into
an application to trigger failures, uncovering security vulnerabilities such
as buffer overflows or input validation issues.
---
©2025
, Question 3
Static analysis in the context of software security primarily aims to:
- A. Execute the application to monitor its behavior under load
- B. Review the code without running it to identify potential
vulnerabilities
- C. Analyze network traffic generated by the application
- D. Simulate user interactions to test business logic
ANS: B
Rationale: Static analysis examines source code (or compiled code)
without executing it to detect defects, insecure coding practices, and
potential vulnerabilities early in the development life cycle.
---
Question 4
To mitigate SQL injection vulnerabilities in a Java-based web application,
which secure coding practice should be most rigorously applied?
- A. Using dynamic query concatenation based on user input
- B. Implementing input validation only on the client side
- C. Utilizing prepared statements with parameterized queries
- D. Relying on exception handling to catch injection attempts
ANS: C
Rationale: Prepared statements with parameterized queries bind
variables and separate SQL logic from the data, thereby effectively
preventing SQL injection attacks.
---
Question 5
During a security test of a web application, the QA team uses an
interception proxy to manipulate HTTP/HTTPS traffic. Which tool is most
commonly associated with this practice?
©2025
, - A. Selenium
- B. Burp Suite
- C. JMeter
- D. AppScan
ANS: B
Rationale: Burp Suite is widely used by security professionals to
intercept, modify, and analyze web traffic, making it a standard tool for
dynamic security testing and penetration testing.
---
Question 6
Which testing approach involves manually reviewing source code with
the goal of uncovering security flaws such as insecure APIs, improper
error handling, or lack of input sanitization?
- A. Automated regression testing
- B. Peer code review
- C. Dynamic analysis
- D. Load testing
ANS: B
Rationale: Peer code review is a manual process in which
knowledgeable developers scrutinize the source code to detect potential
security vulnerabilities and ensure compliance with secure coding
standards.
---
Question 7
A company adopts a methodology that incorporates security tests into
every phase of the development cycle—from code commit to production
deployment. This integrated approach is best described as:
- A. Ad hoc security testing
- B. DevSecOps
©2025
Testing
Objective Assessment Review
(Questions & Solutions)
2025
©2025
, Question 1
A development team is tasked with simulating a real-world cyber attack
against a web application to evaluate its defense mechanisms. Which
approach best describes a “Red Team” exercise?
- A. Running automated vulnerability scans daily
- B. Conducting white‑box testing using source code analysis
- C. Orchestrating a covert, multi‑vector attack that includes social
engineering, exploit attempts, and lateral movements
- D. Executing a standard penetration test using off‑the‑shelf tools
ANS: C
Rationale: A Red Team exercise is an adversary simulation where
trained testers use multiple techniques (including social engineering and
covert exploits) to mimic a real attacker’s behavior, thereby providing a
realistic measure of the organization’s security posture.
---
Question 2
Which technique involves sending random, malformed, or unexpected
inputs to a software application to detect crashes, memory leaks, or
unhandled exceptions?
- A. Fuzz testing
- B. Unit testing
- C. Regression testing
- D. Stress testing
ANS: A
Rationale: Fuzz testing (or fuzzing) injects random or invalid input into
an application to trigger failures, uncovering security vulnerabilities such
as buffer overflows or input validation issues.
---
©2025
, Question 3
Static analysis in the context of software security primarily aims to:
- A. Execute the application to monitor its behavior under load
- B. Review the code without running it to identify potential
vulnerabilities
- C. Analyze network traffic generated by the application
- D. Simulate user interactions to test business logic
ANS: B
Rationale: Static analysis examines source code (or compiled code)
without executing it to detect defects, insecure coding practices, and
potential vulnerabilities early in the development life cycle.
---
Question 4
To mitigate SQL injection vulnerabilities in a Java-based web application,
which secure coding practice should be most rigorously applied?
- A. Using dynamic query concatenation based on user input
- B. Implementing input validation only on the client side
- C. Utilizing prepared statements with parameterized queries
- D. Relying on exception handling to catch injection attempts
ANS: C
Rationale: Prepared statements with parameterized queries bind
variables and separate SQL logic from the data, thereby effectively
preventing SQL injection attacks.
---
Question 5
During a security test of a web application, the QA team uses an
interception proxy to manipulate HTTP/HTTPS traffic. Which tool is most
commonly associated with this practice?
©2025
, - A. Selenium
- B. Burp Suite
- C. JMeter
- D. AppScan
ANS: B
Rationale: Burp Suite is widely used by security professionals to
intercept, modify, and analyze web traffic, making it a standard tool for
dynamic security testing and penetration testing.
---
Question 6
Which testing approach involves manually reviewing source code with
the goal of uncovering security flaws such as insecure APIs, improper
error handling, or lack of input sanitization?
- A. Automated regression testing
- B. Peer code review
- C. Dynamic analysis
- D. Load testing
ANS: B
Rationale: Peer code review is a manual process in which
knowledgeable developers scrutinize the source code to detect potential
security vulnerabilities and ensure compliance with secure coding
standards.
---
Question 7
A company adopts a methodology that incorporates security tests into
every phase of the development cycle—from code commit to production
deployment. This integrated approach is best described as:
- A. Ad hoc security testing
- B. DevSecOps
©2025
