Which of the following is the BEST way to verify this agreement?

A company’s application development has been outsourced to a third-party development team. Based on the SLA. The development team must follow industry best practices for secure coding.

Which of the following is the BEST way to verify this agreement?

A. Input validation

B. Security regression testing

C. Application fuzzing

D. User acceptance testing

E. Stress testing

View Answer

Answer: B

Explanation:

Detailed Security regression testing is a type of testing that verifies that the security features and functionality of an application are not compromised or broken by any changes or updates in the code2. Security regression testing can help to ensure that the application follows industry best practices for secure coding and does not introduce any new vulnerabilities or weaknesses. Security regression testing can be performed manually or automatically using tools or scripts that check for common security flaws and compliance with security standards. Security regression testing can also help to validate the error-handling capabilities of an application by testing how it responds to different types of inputs and scenarios. Input validation (A) is a technique that checks whether the inputs to an application are valid and expected before processing them3. Input validation can help to prevent some types of security attacks, such as injection attacks or buffer overflows, but it is not a way to verify that an application follows industry best practices for secure coding. Input validation is part of secure coding, not a way to test it. Application fuzzing © is a technique that tests an application by sending random or malformed inputs to it and observing its behavior4. Application fuzzing can help to discover some types of security vulnerabilities, such as memory leaks or crashes, but it is not a comprehensive way to verify that an application follows industry best practices for secure coding. Application fuzzing may not cover all possible inputs and scenarios and may not check for compliance with security standards. User acceptance testing (D) is a technique that tests an application by involving end users or customers in evaluating its functionality and usability. User acceptance testing can help to ensure that an application meets the user requirements and expectations, but it is not a reliable way to verify that an application follows industry best practices for secure coding. User acceptance testing may not focus on security aspects and may not detect subtle or hidden security flaws. Stress testing (E) is a technique that tests an application by subjecting it to high levels of load or demand. Stress testing can help to evaluate the performance and reliability of an application under extreme conditions, but it is not a relevant way to verify that an application follows industry best practices for secure coding. Stress testing does not check for security issues and may not reflect normal usage patterns.

References:

2: https://www.techopedia.com/definition/31686/resource-exhaustion

3: https://www.techopedia.com/definition/13493/penetration-testing

4: https://www.techopedia.com/definition/25888/security-development-lifecycle-sdl:

https://www.techopedia.com/definition/24771/technical-controls:

https://www.techopedia.com/definition/32088/vm-escape