CISSP PRACTICE QUESTIONS – 20210126

Effective CISSP Questions

The software testing team is evaluating the assessment methods (basic, focused, or comprehensive) for misuse case testing in terms of depth and coverage. It finally decides to conduct comprehensive testing. According to the NIST SP 800-53A R4, which of the following is least likely to happen?
A. Review the user interface designs before testing
B. Select a sufficiently large sample of misuse cases
C. Ask developers for presenting the database schema
D. Use black-box to test as many abuse cases as possible

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Use black-box to test as many abuse cases as possible.

The black-box testing is a basic testing.

“The coverage attribute addresses the scope or breadth of the assessment.” (NIST SP 800-53A) The coverage of testing is about the scope of testing, for example, how many samples are tested. The granularity of software testing samples can be lines of code, functions, test cases, decision branches, etc.

“The depth attribute addresses the rigor and level of detail of the assessment.” (NIST SP 800-53A) The depth of testing is related to the degree of understanding of the system. A black box means the tester knows nothing about the system, while a white box refers to the tester to understand the system’s internal operations.

Comprehensive testing means the tester understands the system’s internal operations (white box) and uses more samples. User interface designs and the database schema are about internal operations or the depth attribute of testing.

  • A. Review the user interface designs before testing
  • B. Select a sufficiently large sample of misuse cases
  • C. Ask developers for presenting the database schema

The following is an excerpt from NIST SP 800-53A:

The Depth of Testing

  • Basic testing
    • Test methodology (also known as black box testing) that assumes no knowledge of the internal structure and implementation detail of the assessment object.
    • This type of testing is conducted using a functional specification for mechanisms and a high-level process description for activities.
    • Basic testing provides a level of understanding of the security and privacy controls necessary for determining whether the controls are implemented and free of obvious errors.
  • Focused testing
    • Test methodology (also known as gray box testing) that assumes some knowledge of the internal structure and implementation detail of the assessment object.
    • This type of testing is conducted using a functional specification and limited system architectural information (e.g., high-level design) for mechanisms and a high-level process description and high-level description of integration into the operational environment for activities.
    • Focused testing provides a level of understanding of the security and privacy controls necessary for determining whether the controls are implemented and free of obvious errors and whether there are increased grounds for confidence that the controls are implemented correctly and operating as intended.
  • Comprehensive testing
    • Test methodology (also known as white box testing) that assumes explicit and substantial knowledge of the internal structure and implementation detail of the assessment object.
    • This type of testing is conducted using a functional specification, extensive system architectural information (e.g., high-level design, low-level design) and implementation representation (e.g., source code, schematics) for mechanisms and a high-level process description and detailed description of integration into the operational environment for activities.
    • Comprehensive testing provides a level of understanding of the security and privacy controls necessary for determining whether the controls are implemented and free of obvious errors and whether there are further increased grounds for confidence that the controls are implemented correctly and operating as intended on an ongoing and consistent basis, and that there is support for continuous improvement in the effectiveness of the controls.

The Coverage of Testing

  • Basic testing
    Testing that uses a representative sample of assessment objects (by type and number within type) to provide a level of coverage necessary for determining whether the security and privacy controls are implemented and free of obvious errors.
  • Focused testing
    Testing that uses a representative sample of assessment objects (by type and number within type) and other specific assessment objects deemed particularly important to achieving the assessment objective to provide a level of coverage necessary for determining whether the security and privacy controls are implemented and free of obvious errors and whether there are increased grounds for confidence:
    • that the controls are implemented correctly and operating as intended.
  • Comprehensive testing
    Testing that uses a sufficiently large sample of assessment objects (by type and number within type) and other specific assessment objects deemed particularly important to achieving the assessment objective to provide a level of coverage necessary for determining whether the security and privacy controls are implemented and free of obvious errors and whether there are further increased grounds for confidence:
    • that the controls are implemented correctly and operating as intended on an ongoing and consistent basis, and
    • that there is support for continuous improvement in the effectiveness of the controls.

Reference

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

軟體測試團隊根據深度和覆蓋範圍(coverage),正在評估誤用案例(misuse case)測試要採用的評鑑方法:基本(basic)、重點(focused)或全面(comprehensive), 該測試團隊最後決定採用全面測試(comprehensive testing)。 根據NIST SP 800-53A R4,以下哪項最不可能發生?
A. 在測試之前檢查(review)用戶界面設計
B. 選擇足夠大的誤用案例樣本
C. 要求開發人員介紹資料庫結構(schema)
D. 使用黑箱測試來測試盡可能多的誤用案例

Leave a Reply