A penetration tester is performing a code review. Which of the following testing techniques is being performed?
A penetration tester is performing a code review. Which of the following testing techniques is being performed?
Static analysis is a testing technique where the source code of an application is examined without actually executing the program. This technique is typically used in environments where the source code is available, such as during code reviews. Dynamic analysis, on the other hand, involves executing the application to find runtime or dynamic vulnerabilities. Fuzzing analysis is a type of dynamic testing that involves providing invalid, unexpected, or random data to the inputs of a program to find security vulnerabilities and bugs. Run-time analysis also involves examining the behavior of the application during its execution. Therefore, when a penetration tester is performing a code review, the technique being used is static analysis.
C. - Static code analysis is conducted by analyzing an application’s source code. Obviously, this type of testing is usually performed only during a white box penetration test. Static code analysis does not involve actually running the program. Instead, it is focused on analyzing how the application is written. Static Code Analysis commonly refers to the running of Static Code Analysis tools that attempt to highlight possible vulnerabilities within ‘static’ (non-running) source code by using techniques such as Taint Analysis and Data Flow Analysis.
Im gonna have to say B since they are saying it's a PenTester and not software dev. so that would make it a blackbox review. see https://owasp.org/www-community/Fuzzing
static analysis reviews the code. fuzzing is a type of dynamic analysis
C. https://owasp.org/www-community/controls/Static_Code_Analysis Static Code Analysis (also known as Source Code Analysis) is usually performed as part of a Code Review (also known as white-box testing) and is carried out at the Implementation phase of a Security Development Lifecycle (SDL). Static Code Analysis commonly refers to the running of Static Code Analysis tools that attempt to highlight possible vulnerabilities within ‘static’ (non-running) source code by using techniques such as Taint Analysis and Data Flow Analysis.
Yes that is correct if they have the source but they are saying a pentester which they usually do not have the source unless it's a whitebox but it doesnt say so ??
https://owasp.org/www-pdf-archive/OWASP_Code_Review_Guide_v2.pdf
I think the key words in the question are "code review", in my experience doing a code review is a pretty tough without the code. Since static review is the only available option on actual source code, the answer has to be C. If the question had said "application review" in some way instead of "code review" then this goes a different direction.
looks good to me