Question

Users of a banking application may try to withdraw funds that don't exist from their account. Developers are aware of this threat and implemented code to protect against it. What type of software testing would most likely catch this type of vulnerability if the developers have not already remediated it?

A. Misuse case testing
B. SQL injection testing
C. Fuzzing
D. Code review

Answer 1

Misuse case testing is the most effective method to catch the vulnerability of withdrawing non-existent funds in a banking application, as it involves simulating attacks and abnormal use cases.

Step-by-step explanation:

To catch a vulnerability where users might try to withdraw funds that don't exist in a banking application, misuse case testing would likely be the most effective. Misuse case testing is a method where testers think like an attacker and try to break the system by using it in ways that were not intended by the developers. This can include testing for scenarios like withdrawing funds that are not available. It helps ensure that the system behaves correctly even in case of abnormal or malicious usage, thereby preventing fraud and financial loss.

Fuzzing is also useful in certain contexts as it involves sending malformed or unexpected data to the system to find vulnerabilities, but it may not specifically target the scenario of withdrawing non-existent funds. SQL injection testing is more focused on finding vulnerabilities in the database layer that could be exploited by injecting malicious SQL statements. A code review is a systematic examination of the application's source code to find vulnerabilities, but it isn't a testing method per se; rather, it's a preventative measure that ideally happens before testing.