Software developers might embed maintenance hooks or even trap doors for timely or emergent responses to support requests. Your organization’s security policy doesn’t allow their existence. Which of the following is the best testing method to detect them?
A. Static testing
B. Passive testing
C. Black box testing
D. Integration testing

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. Static testing.

• Static testing is a type of testing where the software under test (SUT), as source code or binary code, is not loaded into the memory for execution. Static binary code scanners, source code security analyzers, manual source code analysis (e.g., code review), etc., are common tools for static testing. Maintenance hooks and trap doors can be identified through static testing.
• Passive testing refers to the testing where the tester doesn’t interact with the SUT directly.
• Black box testing means the tester knows nothing about the SUT.
• Integration testing emphasizes combining individual units or modules as the SUT.

Reference

• Testing
• Test harness
• Test automation
• Integration testing
• Difference between Active Testing and Passive Testing

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

• It is available on Amazon.
• Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.

軟體開發人員可能會嵌入維護掛鉤(maintenance hook)，甚或陷阱門(trap door)，以便及時或緊急回應技術支援請求。 您組織的安全政策不允許它們存在. 以下哪項是檢測他們最佳測試方法？
A. 靜態測試 (Static testing)
B. 被動測試 (Passive testing)
C. 黑箱測試 (Black box testing)
D. 整合測試 (Integration testing)