ISC2 Governance, Risk and Compliance (CGRC) Practice Question

During a security assessment you must verify that a web application's input-validation control is functioning properly. Which activity best represents the test assessment method rather than interview or examine?

Request the secure coding policy and verify it requires input validation
Discuss with developers how they sanitize user input
Review past penetration test reports that mention input-validation findings
Submit a series of malicious payloads through the application and observe whether they are rejected

Report Issue

Answer Description

The test method involves exercising a control to confirm it operates as intended. Actively submitting malicious payloads and observing whether they are blocked demonstrates the control's real-time effectiveness. Merely talking with developers, reading policies, or reviewing prior reports gathers information through interview or examine techniques but does not directly exercise the control, so those activities do not qualify as testing.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.

What is input validation in the context of web applications?

Open an interactive chat with Bash

Why is actively testing controls, like input validation, more reliable than interviews or document reviews?

Open an interactive chat with Bash

What are common types of malicious payloads used to test input validation?

Open an interactive chat with Bash

What is input validation in web applications?

Open an interactive chat with Bash

How do malicious payloads work in testing application security?

Open an interactive chat with Bash

What is the difference between 'test,' 'interview,' and 'examine' in security assessments?

Open an interactive chat with Bash

What is input validation in web applications?

Open an interactive chat with Bash

Why is submitting malicious payloads considered a test method?

Open an interactive chat with Bash

What are examples of malicious payloads used to test input validation?

Open an interactive chat with Bash

ISC2 Governance, Risk and Compliance (CGRC)

Assessment/Audit of Security and Privacy Controls

Your Score:

Settings & Objectives

Security and Privacy Governance, Risk Management, and Compliance Program

Scope of the System

Selection and Approval of Framework, Security, and Privacy Controls

Implementation of Security and Privacy Controls

Assessment/Audit of Security and Privacy Controls

System Compliance

Compliance Maintenance

Random Mixed

Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.

Rotate by Objective

Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Hide Score

Check or uncheck an objective to set which questions you will receive.

Bash, the Crucial Exams Chat Bot

AI Bot