An IT security technician is actively involved in identifying coding issues for her company.
Which of the following is an application security technique that can be used to identify unknown
weaknesses within the code?

A.
Vulnerability scanning

B.
Denial of service

C.
Fuzzing

D.
Port scanning

Explanation:
Fuzzing is a software testing technique that involves providing invalid, unexpected, or random data to as
inputs to a computer program. The program is then monitored for exceptions such as crashes, or failed
validation, or memory leaks.
Incorrect Answers:
A: Vulnerability scanners are used to test a system for known security vulnerabilities and weaknesses. It
does not identify unknown weaknesses in code.
B: Denial of Service (DoS) attacks web-based attacks that exploit flaws in the operating system,
applications, services, or protocols. These attacks can be mitigated by means of firewalls, routers, and
intrusion detection systems (IDSs) that detect DoS traffic, disabling echo replies on external systems,disabling broadcast features on border systems, blocking spoofed packets on the network, and proper
patch management.
D: Port scanning is used by hackers to detect the presence of active services that are assigned to a
TCP/UDP port. This is a network-based attack rather than an attack that exploits coding weaknesses,
which are aspects of application development.

http://en.wikipedia.org/wiki/Fuzz_testing
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis,
2014, pp. 218, 342
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 24, 170-172,
211, 229