Page 1104 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1104

common software flaws, such as buffer overflows. In mature
               development environments, application developers are given access to

               static analysis tools and use them throughout the design, build, and
               test process.


               Dynamic Testing

               Dynamic testing evaluates the security of software in a runtime
               environment and is often the only option for organizations deploying
               applications written by someone else. In those cases, testers often do
               not have access to the underlying source code. One common example

               of dynamic software testing is the use of web application scanning
               tools to detect the presence of cross-site scripting, SQL injection, or
               other flaws in web applications. Dynamic tests on a production
               environment should always be carefully coordinated to avoid an
               unintended interruption of service.

               Dynamic testing may include the use of synthetic transactions to
               verify system performance. These are scripted transactions with

               known expected results. The testers run the synthetic transactions
               against the tested code and then compare the output of the
               transactions to the expected state. Any deviations between the actual
               and expected results represent possible flaws in the code and must be
               further investigated.


               Fuzz Testing

               Fuzz testing is a specialized dynamic testing technique that provides
               many different types of input to software to stress its limits and find

               previously undetected flaws. Fuzz testing software supplies invalid
               input to the software, either randomly generated or specially crafted to
               trigger known software vulnerabilities. The fuzz tester then monitors
               the performance of the application, watching for software crashes,
               buffer overflows, or other undesirable and/or unpredictable outcomes.

               There are two main categories of fuzz testing:

               Mutation (Dumb) Fuzzing Takes previous input values from actual
               operation of the software and manipulates (or mutates) it to create

               fuzzed input. It might alter the characters of the content, append
   1099   1100   1101   1102   1103   1104   1105   1106   1107   1108   1109