ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

During preparation for an external pen test, your team must develop attack surface validation test cases for a newly deployed RESTful microservice that will be exposed to business partners. Which single test case would most effectively validate the service's external attack surface before release?

Confirm that the cryptographic libraries in the codebase rely solely on FIPS 140-2 validated algorithms.
Verify that input validation constrains payload size to typical usage limits to prevent buffer overflows.
Enumerate every HTTP verb on each endpoint and attempt unauthenticated or unauthorized calls, including rarely used methods like OPTIONS and TRACE.
Run randomized fuzzing against internal helper functions that are only invoked by backend microservices.

Report Issue

Answer Description

An application's attack surface is made up of all externally reachable entry points. For a RESTful service those entry points are the exposed URIs along with every HTTP verb the service is willing to process. Crafting a test case that systematically enumerates and exercises each HTTP method (including seldom-used ones such as OPTIONS, TRACE, or DELETE) on every endpoint, while attempting requests without proper authentication or authorization, directly confirms whether unexpected or overly permissive interfaces exist. The other choices test important security qualities but do not focus on discovering or shrinking the externally visible interface, so they are less effective for primary attack-surface validation.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.