Ann, the software security engineer, works for a major software vendor. Which of the following practices should be implemented to help prevent race conditions,
buffer overflows, and other similar vulnerabilities prior to each production release?
A.
Product baseline report
B.
Input validation
C.
Patch regression testing
D.
Code review
Explanation:
The problems listed in this question can be caused by problems with the application code.
Reviewing the code will help to prevent the problems.
The purpose of code review is to look at all custom written code for holes that may exist. The review needs also to examine changes that the code–most likely in
the form of a finished application–may make: configuration files, libraries, and the like. During this examination, look for threats such as opportunities for injection tooccur (SQL, LDAP, code, and so on), cross-site request forgery, and authentication. Code review is often conducted as a part of gray box testing. Looking at
source code can often be one of the easiest ways to find weaknesses within the application. Simply reading the code is known as manual assessment, whereas
using tools to scan the code is known as automated assessment.
Incorrect Answers:
A: A product baseline report is a report that compares the current state of the product to the original product specification. It is not used to prevent race conditions,
buffer overflows, and other similar vulnerabilities in an application. Therefore, this answer is incorrect.
B: Input validation can improve application performance by catching malformed input in the application that could cause problems with the output. For example, if a
user is expected to enter a number into a field in the application, input validation can be used to ensure that the input is numeric and not text. It can also be used to
prevent attacks such as cross-site scripting and SQL injection. It is not used to prevent race conditions, buffer overflows, and other similar vulnerabilities in an
application. Therefore, this answer is incorrect.
C: Regression testing is a type of software testing that seeks to uncover new software bugs, or regressions, in existing functional and non-functional areas of a
system after changes such as enhancements, patches or configuration changes, have been made to them. The intent of regression testing is to ensure that
changes such as those mentioned above have not introduced new faults. One of the main reasons for regression testing is to determine whether a change in one
part of the software affects other parts of the software. Application patches may be released after the original application has been released. However, a code
review should be performed before the application is released in the first place. Therefore, this answer is incorrect.Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 345
http://en.wikipedia.org/wiki/Regression_testing