Which one of the following combinations between high-level security requirements and security testing techniques matches BEST?
Correct Answer: A
Security testing ensures the system protects data and maintains intended behavior under potential attacks. Different techniques address specific security goals. Option A is correct: Static vulnerability analysis inspects code or architecture without executing it, identifying weaknesses in mechanisms such as authentication (e.g., login controls) and authorization (e.g., access permissions). These mechanisms are foundational security requirements. Other options: B is misleading - penetration testing simulates attacks, but input validation is more often verified with fuzzing or code review. C is incorrect - fuzzing tests input handling, not the performance of cryptographic algorithms. D is incorrect - threat modeling is a design-time activity to identify risks; it's not used to test policies directly. A). Static vulnerability analysis to test authentication and authorization mechanisms
CTFL-AcT Exam Question 27
Which one of the following statements describes correctly how acceptance testing may be augmented with other test techniques or approaches?
Correct Answer: A
Model-Based Testing (MBT) is a test design technique in which test cases are derived from a model that describes some aspects of the system's behavior. In the context of acceptance testing, MBT can be used to generate high-level acceptance test cases automatically from business process models, use case diagrams, state models, or decision tables. Option A is correct because MBT supports the systematic generation of acceptance test cases from these models, enabling better coverage of business rules and workflows while maintaining traceability to the requirements. Other options: B is close but slightly off: prioritization of acceptance tests in a priority-based approach depends on business value or stakeholder-defined priorities, not strictly on product risks. C is incorrect. Risk-based testing relies on structured risk assessment, not just intuition or experience. D is false. Black-box testing focuses on inputs and outputs without referencing the internal structure (such as function calls), which is characteristic of white-box testing. Exact Reference - ISTQB CTFL Acceptance Testing Syllabus (Section 2.3): "Model-based testing can be used to generate acceptance test cases systematically based on models representing business processes or system behavior."
CTFL-AcT Exam Question 28
Which of the following statements regarding defects is MOST correct?
Correct Answer: B
Defect reporting is a core responsibility of testers. When a test fails, the tester must document the observed behavior and how it differs from the expected behavior. This allows developers, analysts, and stakeholders to assess whether the issue is a defect, and if so, prioritize and fix it. Option B is correct because it accurately describes the core responsibility of a tester when logging a defect: report the mismatch between actual and expected outcomes clearly and objectively. Other options: A refers to meetings, which are useful but not a replacement for clear defect reports. C incorrectly assigns the role of defect routing to business analysts - this is typically handled by test or defect management tools. D suggests the tester analyzes impact before reporting - which could delay the defect being logged and is not always the tester's role (impact analysis is often done collaboratively later). B). Testers should provide accurate information regarding the difference between the expected test result and the actual result.
CTFL-AcT Exam Question 29
Assume you would like to create a model describing a loan request process in a bank. The loan request process starts when the customer submits a loan application. The bank then reviews the application. Regardless of whether the loan request is approved or not, a letter is sent to inform the customer of the decision. If the request is approved, the loan contract is created. You have drawn the following business process model using BPMN 2.0. Which one of the following sentences is true with respect to this process model?
Correct Answer: B
Comprehensive Detailed Explanation (Approx. 200-220 words): In the first BPMN diagram (Loan Request Process), the process starts with the receipt of a loan application. Then, parallel gateways (indicated by the "+" symbols) are used to trigger three separate evaluations: verifying employment, requesting and reviewing a credit record, and performing and reviewing a title search. These are executed concurrently, not sequentially. After all checks are completed, the loan application is reviewed. A decision gateway (diamond with an "X") checks whether the loan is approved. Depending on the decision: If approved: a loan approval letter is sent, and a sub-process is triggered (represented by the rectangle with a "+" symbol inside), which is the creation of the loan contract. This is what identifies it as a BPMN "sub- process." If rejected: a rejection letter is sent. In both cases, the process ends after customer notification. Evaluation of answer options: A: Incorrect - the verification steps occur before the loan status is determined. B: Correct - the "Create the loan contract" activity has a "+" symbol, indicating a sub-process. C: Incorrect - the parallel gateway means these tasks are executed concurrently, not sequentially. D: Incorrect - all review activities are mandatory prior to application review. Therefore, B is the correct answer.
CTFL-AcT Exam Question 30
Which one of the following statements regarding acceptance criteria is true?
Correct Answer: C
Acceptance criteria define the conditions under which a user story or requirement is considered complete and acceptable to stakeholders. They clarify the expected behavior, outcomes, or attributes of the system. Option C is correct because it accurately reflects that acceptance criteria are used to specify what is expected from the system in relation to a given requirement or user story. This ensures a shared understanding among developers, testers, and business stakeholders. Other options: A is vague and misleading - acceptance criteria relate directly to specific stories or features, not generally to high-level goals. B is partially correct but limited - while acceptance criteria help define test conditions, their purpose is broader than just test specification. D is incorrect - acceptance criteria are not related to code coverage, which is a technical test metric. C). For each requirement or user story, the acceptance criteria refine and specify what is expected