18.01 Security Testing Fundamentals - Quiz¶

Section 18.1 Quiz: Security Testing Fundamentals

Test your understanding of security testing fundamentals, methodologies, and best practices.

Time Limit: 25 minutes
Total Marks: 15 marks
Question Types: Multiple choice

What is the primary difference between security testing and functional testing?
- Security testing only focuses on performance
- { data-correct } Security testing focuses on identifying vulnerabilities and weaknesses that could be exploited
- Security testing is only done after deployment
- Security testing doesn’t require test cases
Which type of security testing involves testing without any knowledge of the system’s internal structure?
- White box testing
- { data-correct } Black box testing
- Gray box testing
- Unit testing
What is penetration testing primarily designed to accomplish?
- Test system performance under load
- { data-correct } Simulate real-world attacks to identify exploitable vulnerabilities
- Verify functional requirements
- Test user interface design
Which security testing approach provides the most comprehensive coverage?
- Black box testing only
- White box testing only
- { data-correct } Combination of black box, white box, and gray box testing
- Automated testing only
What is the purpose of vulnerability scanning in security testing?
- To improve system performance
- To test user acceptance
- { data-correct } To automatically identify known security vulnerabilities and misconfigurations
- To optimize database queries
Which principle should guide the timing of security testing in the development lifecycle?
- Only test after complete development
- Only test during deployment
- { data-correct } Integrate security testing throughout the entire development lifecycle
- Only test when security incidents occur
What is static application security testing (SAST) primarily used for?
- Testing runtime behavior
- { data-correct } Analyzing source code for security vulnerabilities without executing the program
- Load testing applications
- User interface testing
Which type of testing is dynamic application security testing (DAST)?
- Source code analysis
- { data-correct } Testing running applications by simulating attacks from the outside
- Database schema validation
- API documentation review
What is the main advantage of automated security testing tools?
- They replace the need for security expertise
- { data-correct } They can quickly scan for known vulnerabilities and provide consistent testing
- They can test everything without human oversight
- They are always more accurate than manual testing
Which factor is most critical when prioritizing security test cases?
- Development team preferences
- Testing tool availability
- { data-correct } Risk assessment based on potential impact and likelihood of exploitation
- Alphabetical order of features
Which of the following vulnerability types would DAST be MOST effective at detecting?
- Hardcoded passwords in source code
- { data-correct } SQL injection in a running web application
- Unused import statements
- Code complexity issues
What should be the PRIMARY focus when reviewing authentication code during manual security review?
- Code formatting and style
- Performance optimization
- { data-correct } Password hashing algorithms and session management
- Variable naming conventions
Which OWASP Top 10 category would include SQL injection vulnerabilities?
- A01: Broken Access Control
- A02: Cryptographic Failures
- { data-correct } A03: Injection
- A04: Insecure Design
In a security testing pipeline, when should SAST tools typically be run?
- Only in production environments
- { data-correct } During code commit and build processes
- After manual penetration testing
- Only when security incidents occur
What type of security testing would be MOST effective for finding Cross-Site Scripting (XSS) vulnerabilities?
- Static code analysis only
- { data-correct } Dynamic testing with payload injection
- Dependency vulnerability scanning
- Code coverage analysis