ISTQB CT-STE Certification Practice Questions & Answers

Question 6 of 40

Which of the following is an example of a security test at a component test level?

Access control testing, which verifies that users can only access data and functionalities appropriate to their roles and permissions.

Verifying that a component correctly interacts with the database to handle potentially malicious input safely.

Verifying that a method correctly handles potentially malicious input by using parameterized queries to prevent SQL injection.

A penetration test that simulates real-world attacks to identify vulnerabilities in the system’s defenses.

Question 7 of 40

Why can test oracles, extracted from standards and best practices, benefit security testers?

Best practices may determine expected results, which can be used as evidence of the application being secure or insecure

Standards may describe the way the test oracles should be formally defined and implemented

Best practices are an effective way to specify security requirements for software development

Standards are established by a consensus of subject matter experts and approved by a recognized body

Question 8 of 40

Which of the following is a benefit of using security standards?

They are mandatory for other parties, such as contractors

They can support the clarification of terminology used

They allow code transparency which involves more people in vulnerability identification

They prohibit from operational blindness, even if not adopted timely

Question 9 of 40

MidSizeCorp Co. is a medium-sized company working on quantum computing solutions. It is structured along functional lines. Each department operates independently, with its specialized responsibilities. The company has a clear hierarchy, and communication predominantly follows a top-down approach from senior management to department heads, who then disseminate information to their teams.
The functional structure comprises five departments: Finance, Human Resources (HR), Marketing, Operations, and IT Administration. The Finance team uses an accounting software system that requires periodic updates and patches. IT Administration manages these updates but rarely communicates directly with Finance about their timeline or potential disruptions. Employees in the Marketing department are unaware of IT security policies.
Which of the following security tests BEST reflects the above-mentioned organizational context?

Testing the security implications of employees using personal devices to access corporate systems

A fake email appearing to come from the IT Administration asking employees to reset their passwords via a provided link

Conducting security tests specifically on DevOps CI/CD pipelines for automated deployment.

Testing the organization’s systems for cryptographic algorithms’ vulnerabilities to quantum computing attacks

Question 10 of 40

Why should security testing activities be planned considering the software development lifecycle?

To identify security risk mitigation actions

To better identify and assess security risks

To make security testing more effective

To determine security test design techniques