ISC2 CISSP Practice Question

The correct answer is to identify vulnerabilities by sending unexpected or random inputs. Fuzz testing works by automatically generating and sending malformed, unexpected, or random data to an application to trigger error conditions, crashes, or unexpected behaviors that might indicate security vulnerabilities. It's particularly effective at finding input validation issues, buffer overflows, and other boundary condition problems, which aligns perfectly with the engineer's goal.

Performing dynamic taint analysis of data flows within an application is a different security testing technique that tracks how untrusted data moves through an application to identify potential vulnerabilities. While this approach can reveal security issues, it uses instrumentation to monitor data propagation rather than generating random inputs as fuzz testing does.

Validating input sanitization routines against known attack patterns is more closely related to penetration testing or security scanning with predefined patterns. Unlike fuzz testing, which generates random or unexpected inputs, this approach uses known malicious inputs to test specific defenses.

Verifying the integrity of compiled binaries against their source code is related to software assurance and supply chain security. This process ensures that the compiled code matches the reviewed source code and hasn't been tampered with during the build process, but it doesn't involve sending unexpected inputs to find vulnerabilities.