Exam CISSP topic 1 question 46 discussion

Question asks about BEST moment for performing pentest. There is no any sense to perform BlackBox pentest (and pay for it, of course) when the product is in development. 100% sure it's C - BlackBox pentest should be performed only when 1st version of product is ready.

A. When the organization wishes to check for non-functional compliance: While a black box security audit can help identify non-functional compliance issues, it's not the best time to conduct it. A black box audit is more effective when the software is complete and ready for testing.

According to procedure, c looks like a correct option. The thing is this question composer seems to have very poor language skills to clearly and fully describe what the situation is.

Answer Should be B: Conducting a black box security audit is particularly beneficial during the testing phase of a software development lifecycle or just before the software goes into production. This allows security professionals to simulate real-world attacks and identify potential vulnerabilities before the software is deployed in a live environment.

C is the best answer. A black box security audit tests the externally visible behavior of a system without knowledge of its internal structure and implementation. It is most useful when the final source code is complete, to check for unknown vulnerabilities before deployment.

A is the answer Option A - When the organization wishes to check for non-functional compliance - is the best answer for when a black box security audit should be conducted on a new software product. A black box audit analyzes an application from an external perspective with no knowledge of internal code or structure. It focuses on functionality, usability, and other non-functional aspects. B describes a vulnerability scan, not a black box audit. C - black box audits do not require or use source code access. D refers to incident response, not proactive software auditing.

The BEST description of when an organization should conduct a black box security audit on a new software product is option C: When the organization is confident the final source code is complete. A black box security audit is a type of security assessment where the auditor has no prior knowledge of the internal workings of the software being tested. The audit is performed from an external perspective, simulating the approach of an attacker who does not have access to the source code or internal details of the software. Conducting a black box security audit is typically done when the organization believes that the development of the software is complete or nearing completion. The organization should have confidence that the final source code is available, as the audit will focus on assessing the security of the software as a whole, without considering the internal details or implementation.

CISSP Official Study Guide pg 969 "Black-Box Testing Black-box testing examines the program from a user perspective by providing a wide variety of input scenarios and inspecting the output. Black-box testers do not have access to the internal code. Final acceptance testing that occurs prior to system delivery is a common example of black-box testing."

C, just means there should be no more revisions to the source code, so technically that means the first beta test can begin.

Answer: B When the organization wants to enumerate known security vulnerabilities across their infrastructure. This type of security audit involves assessing the existing security measures of a system, such as firewalls, antivirus, and access control, to identify any potential vulnerabilities or weaknesses. The organization should conduct a black box security audit on a new software product when they want to identify known security vulnerabilities and assess the current security measures to identify any potential weaknesses. Resources include OWASP's guide to Security Auditing, SANS Institute's guide to Security Auditing, and NIST's guide to Security Auditing.

Should be C. Answer A mentions about non-functional compliance which may not be necessary about security.

Black Box Testing is conducted with Application Runtime, so the source code should be completed to execute the application.

C Black box security audit = Pentest (conducted by independent 3rd party) For a NEW product, usually done after all functionality is coded and complete to investigate security flaws in the product.

Black-box testing is a method of software testing that examines the functionality of an application without peering into its internal structures or workings. This method of test can be applied virtually to every level of software testing: unit, integration, system and acceptance.

black box testing does not imply known vulnerabilities.

Remember they are asking which of this "BEST" describes a black box pentesting on a software. So, I'll go with A.

The word 'audit' implies compliance and the word' software' indicates 'software testing.' But 'Security Audit' is synonymous with Pen Testing: https://www.vaadata.com/blog/black-grey-white-box-penetration-test-3-options/ https://www.securitybrigade.com/research/types-of-security-audits/ B is answer.