🏠 Back to Exam Syllabus 📺 RooCloud on YouTube 🌐 RooCloud Practice Exams

CISSP 15.3 - Testing Your Software (Part 2 of 2)

This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series continues the software testing tour from Domain 6, turning to the techniques that stress code from the outside. It covers how testers break software with bad input, check the seams between components, probe for deliberate abuse, gauge how much was tested, and keep watching a site once it goes live.

What this episode covers

Watch the full episode above for the worked examples and detailed explanations of each concept.

Frequently Asked Questions

What is fuzz testing?

Fuzz testing floods an application with a torrent of invalid input, either random or deliberately crafted, to push it past its limits. As the software chokes on the garbage, the tester watches for crashes, memory overflows, or other strange behavior. It splits into mutation fuzzing, which mangles real input, and generational fuzzing, which models the data the program expects and builds new inputs from that understanding.

Why must you test the interfaces between components?

Complex software is stitched together from parts that must cooperate, and different teams hand off through well-defined interfaces where things silently break. Interface testing checks each module against its interface specification to confirm they will actually work together. The four interfaces to test are application programming interfaces, user interfaces, network interfaces, and physical interfaces.

How do you probe software for deliberate abuse?

Through misuse case testing, where you flip your perspective and think like someone trying to break the rules. First you enumerate the known ways a user might abuse the application, then you actively attempt those abuses, by hand or with automated tools, to see if the software holds. For a language model, a dangerous misuse is flooding it with complex or repeated prompts to drain its computing resources, a form of denial of service.

How do you measure how much you have tested?

With a test coverage analysis, where you estimate coverage as the number of use cases tested divided by the total number of use cases, expressed as a percentage. The number is inherently subjective because nobody can truly enumerate every use case. You can slice coverage by branch, condition, function, loop, or statement, and should treat the percentage as a rough compass rather than a precise gauge.

What is the difference between passive and synthetic website monitoring?

Passive monitoring captures real traffic as it flows, giving a true picture of what actual users experience, and a variant even reconstructs individual user journeys. Synthetic monitoring fires artificial transactions at the site, from a simple page request to a full scripted flow, to measure performance on demand. Passive only sees a problem after a real user hits it, while synthetic can catch trouble before anyone does.

📚 Master the ISC2 CISSP Exam!

Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.


Reference: This article is based on concepts discussed in CISSP 15.3 - Testing Your Software (Part 2 of 2).