Which type of testing will most likely find zero-day vulnerabilities?

A.  Fuzz Testing

B.  White-Box Testing

C.  Black-Box Testing

D.  Stress Testing

Correct Answer: A

Explanation:

A. Fuzz Testing (Fuzzing)
Fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program.

The "Zero-Day" Connection: Because fuzzing doesn't rely on a database of known signatures or patterns, it is uniquely positioned to find Zero-Day vulnerabilities (flaws unknown to the vendor). By bombarding an application with millions of permutations of malformed data, it can trigger "edge cases"—such as buffer overflows or unhandled exceptions—that developers never anticipated.

Mechanism: The system monitors the application for crashes or memory leaks during the input bombardment. A crash often indicates a potential security hole that can be further investigated and exploited by a researcher.

B. White-Box Testing
White-box testing (or clear-box testing) is a method where the tester has full access to the internal structures, design, and source code of the application.

The Role: It is excellent for comprehensive code coverage and verifying logic flows.

The Limitation: While a highly skilled white-box tester could find a zero-day flaw by reading the code, they are limited by human intuition and time. Fuzzing, by contrast, uses brute-force automation to find flaws that might be hidden deep in complex code paths where a human eye might miss them.

C. Black-Box Testing
Black-box testing involves testing an application from the outside without any knowledge of its internal workings or source code.

The Role: It mimics the perspective of an external attacker.

The Limitation: Standard black-box testing often relies on known attack patterns (like trying common SQL injection strings). While it is a vital part of security testing, it is less efficient at discovering brand-new, unique software bugs compared to the high-volume, randomized nature of a fuzzer.

D. Stress Testing
Stress testing is a form of Performance Testing designed to determine the stability of a system under extreme conditions.

The Goal: It pushes the system beyond its normal operational capacity (e.g., flooding a web server with 10x its maximum expected traffic) to see how it fails and how it recovers.

The Distinction: While a system crash during a stress test might reveal a security vulnerability (like a Denial of Service weakness), the primary goal of stress testing is to ensure reliability and availability, not to find specific code-level security exploits or zero-day vulnerabilities.

Key Takeaway for the CISSP Exam
Testing Definitions:

• Fuzzing: Automated random input to find unknown (Zero-Day) bugs.
• Static Analysis (SAST): Reviewing source code without running it.
• Dynamic Analysis (DAST): Testing the application while it is running.
• Stress/Load Testing: Testing for "Availability" under heavy pressure.