Effective CISSP Questions

Your company decides to start the business of selling toys online and shipping globally. The E-Commerce system that supports the new business will be developed in-house. The system shall support an App on the iOS platforms. The development team is complaining about repeated rejections when uploading App onto the App Store operated by Apple because of security issues. Which of the following is most likely employed to test the uploaded APPs on the App Store?
A. Static Application Security Testing
B. Dynamic Application Security Testing
C. Code Review
D. V-Model Testing

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. Static Application Security Testing.

This question is designed to clarify the misconception that Static Application Security Testing (SAST) applies to source code only. The truth is SAST applies to source code, byte code, and binaries. (Gartner)

Typically, SAST is conducted before the Dynamic Application Security Testing (DAST); however, it is not a rule but a common practice. If your app uploaded can’t pass the SAST, then there is no need to conduct DAST.

I have no exact idea of how Apple conducts the App Review process, but I believe Apple should apply both SAST and DAST to apps and assume SAST is performed first as the SAST can be highly automated.

My assumption is supported by the following sources:

Static Application Security Testing (SAST)

Static application security testing (SAST) is a set of technologies designed to analyze application source code, byte code and binaries for coding and design conditions that are indicative of security vulnerabilities. SAST solutions analyze an application from the “inside out” in a nonrunning state.

Source: Gartner Glossary


Leave a Reply