Exam CISSP topic 1 question 129 discussion

agree with D

fail on interface testing

I think it is B: Because we use the API from the tax processing system, it is literally out of scope. An external and internal IT-Security-Researcher can not, should not and must not test such an API. But B is something that we can really influence significantly.

agree with D

PART II - Looking at the question again, one could assume that application level encryption isn't part of the application testing and would rely on the interface to provide encryption - these questions are so vague. Application-level encryption addresses several main goals: 1)Trust your infrastructure less. Application-level encryption provides data protection on all underlying layers, including all layers of storage and sometimes transit. Defense-in-depth. 2) Add another layer of security if other data-related controls like underlying (disk, transit) encryption 3) The longer sensitive data stays encrypted in its lifecycle, the closer application-level encryption gets to end-to-end encryption and zero trust architecture. The shorter data stays encrypted, the closer it gets to single point-to-point transport encryption or encryption at rest. https://www.infoq.com/articles/ale-software-architects/

ANSWER: B. Inadequate application level testing. they try to trick you by distracting you with the other system involved, but the key to answering this question is "being sent UNENCRYPTED". Interface testing would be getting the data from point A to point B (think data leaks) but the application would be responsible for encrypting the data before the data is sent to the interface. Application level testing focuses on evaluating the security measures implemented within the application itself, such as data encryption, access controls, and authentication mechanisms.

https://firewize.com.au/definition/system-interface-test

Answer D) Failure to perform Interface Test System Interface Test ("SIT") A system or systems interface (also known as a system integration test) test is an end-to-end functional test of the connection between two or more systems to verify their connection and operation.

This is what Chatgpt says about it and i agree with Chatgpt on this one: D. Failure to perform interface testing. In this scenario, it appears that the internal test team focused on the application and security testing of the new payroll system but failed to adequately test the interfaces between the payroll system and the tax processing systems. As a result, they missed the security weakness where sensitive personal data was being sent unencrypted to the tax processing systems. Interface testing is essential to ensure that data flows securely between different systems and components, and it's a common area where vulnerabilities can be overlooked if not properly tested.

D it is

"Interface testing is primarily concerned with appropriate functionality being exposed across all the ways users can interact with the application. From a security-oriented vantage point, the goal is to ensure that security is uniformly applied across the various interfaces. This type of testing exercises the various attack vectors an adversary could leverage." - 11th hour

I believe it is D. The unencrypted transmission of Sensitive Data to another system (Tax) is part of Factory Integration Testing (FIT) which in this phase we test the interfacing and integration with external systems. Inadequate application level testing is part of Factory Acceptance Testing (FAT) integration with external systems doesn’t happen here.

the most likely cause of the security issues is option B: Inadequate application level testing. The fact that the internal test team had already performed an in-depth application and security test of the system but did not uncover the significant security weaknesses indicates that the testing conducted by the internal team was not thorough enough. It suggests that there were gaps or limitations in the application level testing performed internally, which resulted in the failure to identify the security vulnerabilities related to the unencrypted transmission of sensitive personal data. who knows what they left also, i would have them review the full test scenario, and re-test the full application.

B. Inadequate application level testing is the most likely cause of the security issues. The internal test team had already performed an in-depth application and security test of the system, but the external vendor was still able to uncover significant security weaknesses. This suggests that the internal test team did not thoroughly test all aspects of the system, particularly in regards to data encryption and transmission.

I select B because the sensitive personal data should be encrypted at rest state. The database should store the encrypted data and be retrieved for sending across interface. If the testers doesn't aware whether the personal data was encrypted or not then they should fail on application level testing.

I vote for B. Because Failure means the team are aware that they have failed, there should be an indication or notification for the failure. ! As a PenTester, Application Level Testing is simply done by sniffing or open Wireshark and check application data.

The payroll and tax systems communicate via their respective API interfaces. So i suppose D is correct.