Learn about the application security testing methods DAST and Fuzz testing, which can detect SQL injection, XSS attacks, and memory leaks during the SDLC.
Table of Contents
Question
A company’s software developers have indicated that the security team takes too long to perform application security tasks. A security analyst plans to improve the situation by implementing security into the SDLC. The developers have the following requirements:
- The solution must be able to initiate SQL injection and reflected XSS attacks.
- The solution must ensure the application is not susceptible to memory leaks.
Which of the following should be implemented to meet these requirements? (Choose two.)
A. Side-channel analysis
B. Protocol scanner
C. HTTP interceptor
D. DAST
E. Fuzz testing
F. SAST
G. SCAP
Answer
To meet the developers’ requirements, the security analyst should implement:
D. DAST (Dynamic Application Security Testing)
E. Fuzz testing
Explanation
DAST is performed on running applications. It can detect vulnerabilities like SQL injection and reflected XSS by actually attempting these attacks against the application and analyzing the responses. DAST tools interact with applications through their exposed interfaces, similar to an actual attacker.
Fuzz testing, or fuzzing, injects invalid, unexpected, or random data into an application to reveal coding errors and security vulnerabilities. It is effective at uncovering memory corruption bugs that could lead to memory leaks or buffer overflows. Fuzzing tools systematically modify or generate test inputs to trigger unexpected behavior.
The other options are not as directly relevant:
A. Side-channel analysis targets cryptographic implementations, not SQL injection, XSS, or memory leaks.
B. Protocol scanners analyze network protocols for vulnerabilities, not application-layer issues.
C. HTTP interceptors can be part of DAST but don’t provide the full testing capabilities on their own.
F. SAST (Static Application Security Testing) analyzes source code and is better suited for finding coding issues than runtime vulnerabilities.
G. SCAP (Security Content Automation Protocol) is for automating vulnerability management, not application testing.
So in summary, DAST and Fuzz testing together provide dynamic testing capabilities to detect SQL injection, XSS, memory leaks, and other runtime vulnerabilities as required by the developers. Integrating these into the SDLC allows vulnerabilities to be caught and remediated early.
CompTIA CAS-004 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the CompTIA CAS-004 exam and earn CompTIA CAS-004 certification.