CompTIA Security Plus Mock Test Q731

An IT security technician is actively involved in identifying coding issues for her company. Which of the following is an application security technique that can be used to identify unknown weaknesses within the code?

A. Vulnerability scanning
B. Denial of service
C. Fuzzing
D. Port scanning


Correct Answer: C
Section: Application, Data and Host Security

Explanation:
Fuzzing is a software testing technique that involves providing invalid, unexpected, or random data to as inputs to a computer program. The program is then monitored for exceptions
such as crashes, or failed validation, or memory leaks.

Incorrect Answers:
A: Vulnerability scanners are used to test a system for known security vulnerabilities and weaknesses. It does not identify unknown weaknesses in code.
B: Denial of Service (DoS) attacks web-based attacks that exploit flaws in the operating system, applications, services, or protocols. These attacks can be mitigated by means of
firewalls, routers, and intrusion detection systems (IDSs) that detect DoS traffic, disabling echo replies on external systems, disabling broadcast features on border systems, blocking
spoofed packets on the network, and proper patch management.
D: Port scanning is used by hackers to detect the presence of active services that are assigned to a TCP/UDP port. This is a network-based attack rather than an attack that exploits
coding weaknesses, which are aspects of application development.

References:
http://en.wikipedia.org/wiki/Fuzz_testing
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 218, 342
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 24, 170-172, 211, 229