Security Testing Language

A professional security finding includes OWASP classification, exact location, reproducible evidence, CVSS score, and a concrete recommendation.

Options A, B, and D identify the issue but lack structure — they cannot be used to triage, prioritise, or reproduce the finding in isolation. Option C follows the industry-standard security finding format: OWASP category and ID (A03:2021), the exact vulnerable endpoint and parameter, the specific payload used with the observed response, the CVSS score for risk quantification, and a targeted remediation recommendation. This structure allows any developer or security engineer to locate, reproduce, and fix the issue from the report alone.

Key vocabulary:
• SQL Injection — insertion of malicious SQL code into a query via unsanitised user input
• OWASP A03:2021 — the Injection category in the OWASP Top 10 (2021 edition)
• CVSS Base Score — Common Vulnerability Scoring System; 0–10 scale for severity quantification
• Parameterised statement — a prepared SQL query where user input is passed as a parameter, not embedded
• Session token — a credential that grants authenticated access; must never be obtainable without valid login

A CVSS score of 7.5 falls in the High range (7.0–8.9) — not Critical, not Medium.

Option A is wrong: Critical severity requires a CVSS score of 9.0–10.0; 7.5 does not meet this threshold. Option B is wrong: Medium is 4.0–6.9; 7.5 exceeds it. Option C is wrong: CVSS is not a percentage — it is a structured formula combining Base, Temporal, and Environmental metrics. Option D correctly applies the CVSS severity scale: High (7.0–8.9), describes the exploitability characteristics implied by a 7.5 score (network, no auth, high impact), and gives a realistic remediation timeline used in enterprise security programmes.

Key vocabulary:
• CVSS (Common Vulnerability Scoring System) — an industry-standard formula for scoring vulnerability severity
• Critical — CVSS 9.0–10.0; immediate remediation required
• High — CVSS 7.0–8.9; remediation within 7–14 days
• Medium — CVSS 4.0–6.9; remediation within 30 days
• Low — CVSS 0.1–3.9; addressed in regular maintenance cycles

SAST analyses code without running it; DAST tests the running application; IAST instruments the running app from inside.

DAST tools (like OWASP ZAP or Burp Suite) send requests to the live application and analyse responses — they see the app as an attacker would. IAST agents (like Contrast Security) run inside the application JVM/runtime and detect vulnerabilities during functional or integration test execution. Penetration testing is a manually-directed engagement, not an automated pipeline tool. Only SAST (like SonarQube, Checkmarx, Semgrep) analyses source code without execution, making it suitable for early CI integration before deployment.

Key vocabulary:
• SAST — Static Application Security Testing; code-level analysis without execution
• DAST — Dynamic Application Security Testing; testing the running application externally
• IAST — Interactive Application Security Testing; runtime analysis via internal instrumentation
• CI pipeline — the automated build, test, and analysis workflow triggered on each commit
• Instrumentation agent — a component embedded in the application runtime that monitors code execution

A penetration testing finding must include a precise title, CVSS score, affected endpoint, reproducible evidence, impact statement, and specific remediation guidance.

Options A, B, and C each omit critical elements: A has no evidence or CVSS; B has no score, endpoint, or evidence; C has no score, endpoint, or specific remediation. Option D meets the full industry standard: it names the finding type precisely, assigns a CVSS severity, identifies the exact endpoint and parameter, provides a reproducible proof-of-concept payload, lists concrete impact categories, and gives targeted remediation steps — both the developer fix (entity encoding) and the security control (CSP header).

Key vocabulary:
• Reflected XSS — a cross-site scripting attack where the payload is reflected from the server in the same request
• Proof of concept (PoC) — a working exploit or payload that demonstrates the vulnerability is exploitable
• HTML entity encoding — converting special characters to HTML entities to prevent script injection
• Content-Security-Policy (CSP) — an HTTP header that restricts what scripts and resources a page may load
• Session hijacking — stealing a user's authenticated session token to impersonate them

A penetration test scope must explicitly list in-scope and out-of-scope targets, environments, and any third-party restrictions.

Option A is dangerously vague — "entire application" without boundaries creates legal and operational risk. Option B is reckless: testing production servers and endpoints without explicit authorisation and staging-only restrictions is irresponsible. Option D is too narrow and unexplained. Option C is the professional standard: it specifies exact URLs, restricts activity to the staging environment (protecting production), excludes named third-party services (Stripe, CDN) that require separate authorisation, and excludes the mobile app as a distinct engagement — providing clear legal and operational boundaries for the testing team.

Key vocabulary:
• Scope of engagement — the formally agreed boundaries of a security testing activity
• Out-of-scope — explicitly excluded targets; testing against them without authorisation is illegal
• Third-party service — an external system (payment processor, CDN) requiring its own authorisation to test
• Staging environment — a pre-production copy of the system; preferred for destructive security testing
• Rules of engagement — the agreed constraints on timing, methods, and targets for a penetration test