A company hires outside security experts to evaluate the security status of the corporate network. All of the company’s IT resources are outdated and prone to
crashing. The company requests that all testing be performed in a way which minimizes the risk of system failures. Which of the following types of testing does the
company want performed?
A.
Penetration testing
B.
WAF testing
C.
Vulnerability scanning
D.
White box testing
Explanation:
Vulnerability scanning has minimal impact on network resource due to the passive nature of the scanning.A vulnerability scan is the process of scanning the network and/or I.T. infrastructure for threats and vulnerabilities. The threats and vulnerabilities are then
evaluated in a risk assessment and the necessary actions taken to resolve and vulnerabilities. A vulnerability scan scans for known weaknesses such as missing
patches or security updates.
A vulnerability scan is the automated process of proactively identifying security vulnerabilities of computing systems in a network in order to determine if and where
a system can be exploited and/or threatened. While public servers are important for communication and data transfer over the Internet, they open the door to
potential security breaches by threat agents, such as malicious hackers.
Vulnerability scanning employs software that seeks out security flaws based on a database of known flaws, testing systems for the occurrence of these flaws and
generating a report of the findings that an individual or an enterprise can use to tighten the network’s security.
Incorrect Answers:
A: Penetration testing (also called pen testing) is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could
exploit. Pen tests can be automated with software applications or they can be performed manually. Either way, the process includes gathering information about the
target before the test (reconnaissance), identifying possible entry points, attempting to break in (either virtually or for real) and reporting back the findings.
The main objective of penetration testing is to determine security weaknesses. A pen test can also be used to test an organization’s security policy compliance, its
employees’ security awareness and the organization’s ability to identify and respond to security incidents. Penetration is considered `active’ because you are
actively trying to circumvent the system’s security controls to gain access to the system as opposed to vulnerability scanning which is considered passive. A
passive scan would minimize the risk of system failures. Therefore, this answer is incorrect.
B: WAF Testing is the process of testing web application firewalls. This is a specific test; it does not test general network resources for security flaws. Therefore,
this answer is incorrect.
D: White-box testing (also known as clear box testing, glass box testing, transparent box testing, and structural testing) is a method of testing software that tests
internal structures or workings of an application, as opposed to its functionality (i.e. black-box testing). In white-box testing an internal perspective of the system, as
well as programming skills, are used to design test cases. The tester chooses inputs to exercise paths through the code and determine the appropriate outputs.
This is analogous to testing nodes in a circuit, e.g. in-circuit testing (ICT). White-box testing can be applied at the unit, integration and system levels of the software
testing process. Although traditional testers tended to think of white-box testing as being done at the unit level, it is used for integration and system testing more
frequently today. It can test paths within a unit, paths between units during integration, and between subsystems during a systemlevel test. Though this method of
test design can uncover many errors or problems, it has the potential to miss unimplemented parts of the specification or missing requirements. White-box testing
is used for testing applications. It is not used to identify security issues in a network. Therefore, this answer is incorrect.http://www.webopedia.com/TERM/V/vulnerability_scanning.html http://searchsoftwarequality.techtarget.com/definition/penetration-testing http://en.wikipedia.org/
wiki/White-box_testing