Effective CISSP Questions

Which of the following is not a software testing technique that emphasizes using unexpected, malformed, random data as program inputs to crash the program or make it behave unexpectedly?
A. Fuzz testing
B. Synthetic transaction
C. Random testing
D. Monkey testing

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. Synthetic transaction.

Random testing is a black-box software testing technique where programs are tested by generating random, independent inputs. (Wikipedia)

  • Fuzz testing is a kind of random testing which provides invalid input to the tested program. (Wikipedia)
  • In software testing, monkey testing is a technique where the user tests the application or system by providing random inputs and checking the behavior, or seeing whether the application or system will crash. (Wikipedia)
  • Synthetic transactions can be automated to run on a periodic basis to ensure the application is still performing as expected in terms of testing or monitoring. (CISSP Study Guide Third Edition 2015)

Synthetic Transactions

Synthetic transactions, or synthetic monitoring, involves building scripts or tools that simulate activities normally performed in an application. The typical goal of using synthetic transactions/monitoring is to establish expected norms for the performance of these transactions.

These synthetic transactions can be automated to run on a periodic basis to ensure the application is still performing as expected. These types of transactions can also be useful for testing application updates prior to deployment to ensure the functionality and performance will not be negatively impacted. This type of testing or monitoring is most commonly associated with custom developed web applications.

Source: CISSP Study Guide Third Edition 2015

Fuzz Testing

Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. Typically, fuzzers are used to test programs that take structured inputs. This structure is specified, e.g., in a file format or protocol and distinguishes valid from invalid input. An effective fuzzer generates semi-valid inputs that are “valid enough” in that they are not directly rejected by the parser, but do create unexpected behaviors deeper in the program and are “invalid enough” to expose corner cases that have not been properly dealt with.

Source: Wikipedia



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

A. 模糊測試 (Fuzz testing)
B. 合成交易 (Synthetic transaction)
C. 隨機測試 (Random testing)
D. 猴子測試 (Monkey testing)


1 thought on “CISSP PRACTICE QUESTIONS – 20201126

  1. This is confusing. You said you’re suggested answer is B – synthetic testing. whereas fuzz testing sounds more accurate given the description. At no point does synthetic testic mention random data, invalid inputs. Where Fuzz testing does. The words used do not match up..

Leave a Reply