A product security analyst has been assigned to evaluate and validate a new product's security capabilities. Part of the evaluation involves reviewing design changes at specific intervals for security deficiencies, recommending changes, and checking for changes at the next checkpoint. Which of the following BEST describes the activity being conducted?
The described activity is about periodically reviewing design changes for security deficiencies, recommending changes, and checking for updates at subsequent intervals. This process focuses on ensuring that any modifications do not introduce new security vulnerabilities or issues. This is known as security regression testing, which aims to validate that recent changes do not negatively impact the security functionality of the product.
D. Man this was kinda tough. I say D because Security Regression testing can be done during development and after production. Code review could be used here to, but would an analyst actually do a code review? This is typically done by developers.
dayum.. now that I am looking at this again.. its possible it could be C as well. Code reviews contain the same type of activities described here. Ugh.
yeah.. I reviewed Jason Dions Class, and C fits better according to his explanation. Code Review is the closest option here.
Dayum is right. My head is spinning. I hope I pass the exam! Have you taken it?
why would you do a regression test while this is a new product? regression test is only performed for an enhancement made to an existing program/application. Do a code review to check if the product has the necessary security features
ks amk compTIA
ks emk twice compTIA
Security Regression Testing This is the process of checking that updates to code do not compromise existing security functionality or capability. Ultimately, regression testing is comparing working security fixes against the applications as a baseline. This ensures that if any new code updates are pushed that break this or reopen a previously closed vulnerability, it can be addressed in real time.
So torn with this question. Mainly because: Once the SDLC reached the development phase, code starts to be generated. That means that the ability to control the version of the software or component that your team is working on, combined with check-in/check-out functionality and revision histories, is a necessary and powerful tool when developing software. The question refers to a "new" product so I believe that is key. However, it also makes it seem that it is about the development of a product that could be in production. Regression testing focuses on testing to ensure that changes that have been made do not create new issues, and ensure that no new vulnerabilities, misconfigurations, or other issues have been introduced. Hmmm, I say C simply because of the "new product" in the question.
Security Regression Testing Regression testing focuses on testing to ensure that changes that have been made do not create new issues. From a security perspective, this often comes into play when patches are installed or when new updates are applied to a system or application. Security regression testing is performed to ensure that no new vulnerabilities, misconfigurations, or other issues have been introduced.
Code review? So if a new switch vendor, monitoring tool or whatever that is not related with software...?
ChatGPT: The activity being described, where a product security analyst reviews design changes at specific intervals, recommends changes, and checks for changes at subsequent checkpoints, is often referred to as "Security Design Review" or "Security Architecture Review." I would go for "Code review". Security Regression Testing is a testing process that focuses on identifying and mitigating security vulnerabilities introduced into a software application or system during the development and maintenance phases. It is a specialized form of regression testing that specifically targets security-related issues.
Correct CompTIA is playing with us again. CompTIA uses words in the statement to confuse. The solution is in the statement. The answer is clearly C... https://owasp.org/www-pdf-archive/OWASP_Code_Review_Guide_v2.pdf
D. Security regression testing. Security regression testing is a type of testing that focuses on identifying security vulnerabilities or weaknesses that may have been introduced or re-introduced into a system as a result of design changes, updates, or modifications. It aims to ensure that the security posture of the system has not regressed or deteriorated after changes have been made.
I'm voting for DDDDDDDDDDDDDDDDDDDDDDDD
Full ack
Definitely C after re-reading it a couple of times. Recommending changes is what sticks out to me. If it were regression testing, it would be testing to see if changes to the code caused features or functionality to degrade, specifically for this, security features. Code review seems to be the closest thing to what they're describing.
Keyword: Security analyst. Not a software developer. Code reviewing is out of the question. I'd go with D.
The activity being described is "Security regression testing." This involves reviewing design changes at specific intervals for security deficiencies, recommending changes, and checking for changes at subsequent checkpoints to ensure that new updates or modifications do not introduce security vulnerabilities or regressions in the security posture of the product. Therefore, the correct answer is: D. Security regression testing
A code review is a process that involves examining and evaluating the source code of a software application or system for security deficiencies, errors, bugs, or vulnerabilities. A code review can help improve the quality and security of the software product by identifying and fixing issues before they become operational problems. A code review is part of the evaluation and validation of a new product’s security capabilities. User acceptance testing, stress testing, or security regression testing are other types of testing that can be used to evaluate and validate a new product’s security capabilities, but they do not involve reviewing design changes at specific intervals for security deficiencies. Reference: https://www.synopsys.com/blogs/software-security/code-review/
Security regression testing involves reviewing design changes at specific intervals to ensure that new changes do not introduce security vulnerabilities or deficiencies and verifying that security measures are still effective after each change.
The question refers to a "new" product so I believe that is key. Regression testing focuses on testing to ensure that changes that have been made do not create new issues, and ensure that no new vulnerabilities, misconfigurations, or other issues have been introduced. A code review is part of the evaluation and validation of a new product’s security capabilities. User acceptance testing, stress testing, or security regression testing are other types of testing that can be used to evaluate and validate a new product’s security capabilities, but they do not involve reviewing design changes at specific intervals for security deficiencies
"reviewing design changes at specific intervals" that is done via debugger, which is considered an automated code review.
What is Regression Testing? Regression Testing is a type of testing that is done to verify that a code change in the software does not impact the existing functionality of the product. This is to ensure that the product works fine with new functionality, bug fixes or any changes to the existing feature. Previously executed test cases are re-executed in order to verify the impact of the change.