Your company is developing an E-Commerce web system. As a software tester, you would like to prepare test data to verify if the back-end API is vulnerable in terms of data integrity. Which of the following is the best tool?
A. zzuf
B. Nmap
C. Nessus
D. Metasploit

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. zzuf.

To prepare test data to verify if the back-end API implies the system under test (SUT) is a data-driven system that processes and handles various data in transit, at rest, and in use, and that’s why the data integrity matters. Semantic integrity is the most common issue related to the meaning of data to users; for example, it doesn’t make sense for the system to accept a value of birth date like 1912/02/31 or “Texas, US.” A fuzzer can generate random test data used in the so-called fuzz testing. zzuf is one of the most well-known fuzzers.

As a security manager or CISO, you don’t have to know the technical stuff inside out, but you have to be aware of the most commonly used security assessment tools or utilities.

• Nmap, the Network Mapper, is a must-know, free security scanner, which provides testers with flexible arguments or parameters to scan TCP/UDP ports or IPs.
• “Nessus is a proprietary vulnerability scanner developed by Tenable, Inc. (NASDAQ: TENB)” (Wikipedia)
• The Metasploit framework is a well-known tool for conducting penetration tests and developing and executing exploit code against a remote target machine. It is an open-source sub-project of the Metasploit Project, “a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. It is owned by Boston, Massachusetts-based security company Rapid7.” (Wikipedia)
  

Reference

• zzuf: transparent application input fuzzer
• zzuf – multiple purpose fuzzer
• Nmap
• Nessus
• Metasploit Project

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

• It is available on Amazon.
• Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.

貴公司正在開發一個電子商務Web系統。 作為軟件測試人員，您希望準備測試資料以驗證後端API是否在資料完整性方面易受攻擊。 以下哪項是最好的工具？
A. zzuf
B. Nmap
C. Nessus
D. Metasploit