The Chief Information Security Officer (CISO) at a software development company is concerned
about the lack of introspection during a testing cycle of the company’s flagship product. Testing
was conducted by a small offshore consulting firm and the report by the consulting firm clearly
indicates that limited test cases were used and many of the code paths remained untested.
The CISO raised concerns about the testing results at the monthly risk committee meeting,
highlighting the need to get to the bottom of the product behaving unexpectedly in only some large
enterprise deployments.
The Security Assurance and Development teams highlighted their availability to redo the testing if
required.
Which of the following will provide the MOST thorough testing?
A.
Have the small consulting firm redo the Black box testing.
B.
Use the internal teams to perform Grey box testing.
C.
Use the internal team to perform Black box testing.
D.
Use the internal teams to perform White box testing.
E.
Use a larger consulting firm to perform Black box testing.