ExamTopics Logo
Mail Us[email protected]
Menu
Comptia Discussions
exam questions

Exam PT0-001 All Questions

View all questions & answers for the PT0-001 exam
Go to Exam

Exam PT0-001 topic 1 question 58 discussion

Actual exam question from CompTIA's PT0-001
Question #: 58
Topic #: 1
[All PT0-001 Questions]

A penetration tester is performing a code review. Which of the following testing techniques is being performed?

  • A. Dynamic analysis
  • B. Fuzzing analysis
  • C. Static analysis
  • D. Run-time analysis
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
Reference:
https://smartbear.com/learn/code-review/what-is-code-review/
by mr_robot at April 9, 2020, 2:34 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
mr_robot
Highly Voted 5 years, 1 month ago
C. - Static code analysis is conducted by analyzing an application’s source code. Obviously, this type of testing is usually performed only during a white box penetration test. Static code analysis does not involve actually running the program. Instead, it is focused on analyzing how the application is written. Static Code Analysis commonly refers to the running of Static Code Analysis tools that attempt to highlight possible vulnerabilities within ‘static’ (non-running) source code by using techniques such as Taint Analysis and Data Flow Analysis.
upvoted 8 times
x0hmei
3 years, 11 months ago
Im gonna have to say B since they are saying it's a PenTester and not software dev. so that would make it a blackbox review. see https://owasp.org/www-community/Fuzzing
upvoted 1 times
kamaluchi
3 years, 10 months ago
static analysis reviews the code. fuzzing is a type of dynamic analysis
upvoted 1 times
...
...
...
miabe
Most Recent 2 years, 10 months ago
Selected Answer: C
looks good to me
upvoted 1 times
...
dustercan
3 years, 7 months ago
I think the key words in the question are "code review", in my experience doing a code review is a pretty tough without the code. Since static review is the only available option on actual source code, the answer has to be C. If the question had said "application review" in some way instead of "code review" then this goes a different direction.
upvoted 1 times
...
smalltech
3 years, 10 months ago
https://owasp.org/www-pdf-archive/OWASP_Code_Review_Guide_v2.pdf
upvoted 1 times
...
smalltech
3 years, 10 months ago
C. https://owasp.org/www-community/controls/Static_Code_Analysis Static Code Analysis (also known as Source Code Analysis) is usually performed as part of a Code Review (also known as white-box testing) and is carried out at the Implementation phase of a Security Development Lifecycle (SDL). Static Code Analysis commonly refers to the running of Static Code Analysis tools that attempt to highlight possible vulnerabilities within ‘static’ (non-running) source code by using techniques such as Taint Analysis and Data Flow Analysis.
upvoted 1 times
x0hmei
3 years, 10 months ago
Yes that is correct if they have the source but they are saying a pentester which they usually do not have the source unless it's a whitebox but it doesnt say so ??
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago