Exam CISSP topic 1 question 453 discussion

B. From the CISSP book Dynamic Testing Dynamic application security testing (DAST) evaluates the security of software in a runtime environment and is often the only option for organizations deploying applications written by someone else. In those cases, testers often do not have access to the underlying source code. One common example of dynamic software testing is the use of web application scanning tools to detect the presence of cross-site scripting, SQL injection, or other flaws in web applications. Dynamic tests on a production environment should always be carefully coordinated to avoid an unintended interruption of service. Dynamic testing may include the use of synthetic transactions to verify system performance. These are scripted transactions with known expected results. The testers run the synthetic transactions against the tested code and then compare the output of the transactions to the expected state. Any deviations between the actual and expected results represent possible flaws in the code and must be further investigated

B. This method focuses on testing the application during runtime to identify security vulnerabilities in the code. While useful for security testing, it is more suited to identifying issues in specific parts of the code rather than providing a comprehensive end-to-end test of operational and security requirements in production. A. By executing these synthetic transactions, you can verify that the system meets both operational and security requirements without impacting actual users.

Answer B) Dynamic code analysis Dynamic testing analyzes software security in the runtime environment. With this testing, the tester should not have access to the application’s source code. Dynamic testing often includes the use of synthetic transactions, which are scripted transactions that have a known result. These synthetic transactions are executed against the tested code, and the output is then compared to the expected output. Any discrepancies between the two should be investigated for possible source code flaws.

FIrst you do not run tests in, production, but you can run Vulnerability analysis in production. In a testing environment you can run SAST to test both operational and security

Answer B) Dynamic code analysis https://www.pearsonitcertification.com/articles/article.aspx?p=2931575&seqNum=2#:~:text=Dynamic%20testing%20often%20includes%20the,compared%20to%20the%20expected%20output.

B. Dynamic code analysis, also known as dynamic application security testing (DAST), includes both security and operational aspects when testing an application or system. It involves analyzing a running application to identify security vulnerabilities and operational issues while simulating real-world usage. Synthetic transaction analysis is primarily focused on performance and operational testing, simulating user transactions to assess system performance and availability, but it may not specifically address security vulnerabilities. So, in the context of assessing both operational and security requirements, dynamic code analysis (DAST) is the best answer choice.

dynamic code analysis does not cover the operational aspects of the system, such as performance, functionality, or availability

Dynamic is more broad than synthetic. Synthetic is solely focused on operational/performance.

Dynamic includes both security and operational

A is correct. https://www.atatus.com/glossary/synthetic-transaction-monitoring/

Synthetic is a subset of Dynamic. Synthetic is more performance (operational) where Dynamic includes both security and operational