Ann, the software security engineer, works for a major software vendor. Which of the following practices should be implemented to help prevent race conditions, buffer overflows, and other similar vulnerabilities prior to each production release?
A. Product baseline report
B. Input validation
C. Patch regression testing
D. Code review
Correct Answer: D
Section: Threats and Vulnerabilities
The problems listed in this question can be caused by problems with the application code. Reviewing the code will help to prevent the problems.
The purpose of code review is to look at all custom written code for holes that may exist. The review needs also to examine changes that the code—most likely in the form of a finished
application—may make: configuration files, libraries, and the like. During this examination, look for threats such as opportunities for injection to occur (SQL, LDAP, code, and so on),
cross-site request forgery, and authentication. Code review is often conducted as a part of gray box testing. Looking at source code can often be one of the easiest ways to find
weaknesses within the application. Simply reading the code is known as manual assessment, whereas using tools to scan the code is known as automated assessment.
A: A product baseline report is a report that compares the current state of the product to the original product specification. It is not used to prevent race conditions, buffer overflows,
and other similar vulnerabilities in an application.
B: Input validation can improve application performance by catching malformed input in the application that could cause problems with the output. For example, if a user is expected to
enter a number into a field in the application, input validation can be used to ensure that the input is numeric and not text. It can also be used to prevent attacks such as cross-site
scripting and SQL injection. It is not used to prevent race conditions, buffer overflows, and other similar vulnerabilities in an application.
C: Regression testing is a type of software testing that seeks to uncover new software bugs, or regressions, in existing functional and non-functional areas of a system after changes
such as enhancements, patches or configuration changes, have been made to them.
The intent of regression testing is to ensure that changes such as those mentioned above have not introduced new faults. One of the main reasons for regression testing is to
determine whether a change in one part of the software affects other parts of the software.
Application patches may be released after the original application has been released. However, a code review should be performed before the application is released in the first place.
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, p. 345