1

Software Assessment Methods — Static, Formal, UAT & Regression

A comprehensive software testing programme validates the CIA triad across the entire application lifecycle. No single technique is sufficient — combine automated tools with human review, testing environments with production validation, and pre-release checks with ongoing regression.

Static Code Analysis
Reviews uncompiled source code — either manually (line by line) or using automated tools that scan for signatures of known vulnerabilities (OWASP Top 10, insecure library usage, faulty logic). Automated tools provide the first pass; humans catch what tools miss. Always do both — neither is an adequate substitute for the other.
Code Reviews
Manual peer review of source code. Types: email/async (developer emails code to reviewer), over-the-shoulder (developer explains while reviewer watches), paraprogramming/pair programming (both developers code together, alternating writing and reviewing). Improves knowledge sharing across experience levels.
Formal Verification
Validates software design through mathematical modelling of all expected inputs and outputs. Used for safety-critical software (self-driving cars, aviation, medical devices) where corner cases must be eliminated — situations where all available outcomes are bad and the system must make a defined, predictable choice.
User Acceptance Testing (UAT)
Beta testing by real end users to prove software is usable and fit for purpose in real-world conditions. Identifies workflow issues and use-case mismatches that developers didn't anticipate. Not about whether the code works — about whether it works the way users actually need it to work.
Security Regression Testing
Verifies that updates, patches, or new features don't break existing security controls. Every code change risks breaking three other things. After any patch or update: test all security mechanisms to confirm they still function. Identifies security regressions — controls that worked before but are now broken by a change.
Testing environment types apply here too: Static analysis = known environment (you have the source code). Dynamic analysis and fuzzing = unknown environment (you run the binary and observe). UAT = partially known (users know the expected behaviour but don't have the code). Different test types reveal different classes of vulnerability.
2

Reverse Engineering — Machine Code to High-Level Code

Reverse engineering is the process of analysing the structure of hardware or software to reveal how it functions. For a cybersecurity analyst, the primary use case is analysing captured malware. You start with a binary executable and work backwards toward readable code.

The reverse engineering ladder — three levels

Reverse Engineering Progression — Binary → Assembly → High-Level Code
Lowest
hardest to read
Machine Code
Machine Code / Binary
48 89 32
B8 00 00 00 00
48 8B 45 F8 ...
Raw hexadecimal byte instructions native to the CPU platform (x86-64). Humans cannot meaningfully read this directly.
↑ disassembler (e.g. IDA) converts machine code → assembly ↑
Middle
better
Assembly
Assembly Language
movq %rsi, (%rdx)
push rbp
xor eax, eax
cmp rax, rbx
Human-readable text mnemonics mapping to CPU instructions. Short codes: mov, push, pop, xor, add, sub, inc, cmp, jmp, call. Still requires expertise to interpret.
↑ decompiler (e.g. IDA decompiler) converts assembly → high-level ↑
Highest
most readable
High-Level
High-Level Code / Pseudocode
*dest = t;
if (count > max) {
return ERROR;
}
Decompiled C-like code or pseudocode. Identifies functions, variables, branching logic. Most readable — even without deep C knowledge, purpose is often apparent.
🔴 Machine code (48 89 32) = same instruction as assembly (movq) and high-level (*dest = t) 🔧 Disassembler: machine → assembly 🔧 Decompiler: assembly/machine → high-level/pseudocode 🔧 IDA = does both

Key reverse engineering tools

IDA — Interactive Disassembler
The most widely used cross-platform disassembler and decompiler for reverse engineering. Automates identification of API calls, function parameters, and code components. Produces pseudocode that resembles C or C++. The primary tool for malware reverse engineering.
Obfuscator
A software tool that randomises variable/function/constant names, removes comments, and strips whitespace to make code harder to analyse. Malware writers use obfuscators to prevent security researchers from reading their code, blocking signature creation and making attribution harder.
Immunity Debugger
Built specifically for penetration testers. Supports a Python API plugin for automated scripting. Used to write exploits, analyse malware, and reverse binary files. Preferred over GDB for pen testers due to its Python support and user-friendly interface.
GDB — GNU Debugger
Open-source cross-platform debugger for Unix/Windows/Mac. Supports many languages (C, C++, Java, Go, Python, etc.). Text-based console interface — functional but not user-friendly. Most penetration testers prefer Immunity Debugger for its GUI and Python API.
SearchSploit
A tool to search the Exploit Database for known exploit code. Not technically a debugger, but frequently used alongside debuggers to look up what a specific exploit does while reading malware. Can be installed locally for offline research during analysis sessions.
3

Dynamic Analysis — Debuggers, Stress Testing & Fuzzing

Dynamic analysis executes a compiled program and analyses its behaviour at runtime — what it does, what it changes, what it communicates. Unlike static analysis (reading code), dynamic analysis observes the running system. When obfuscation makes static analysis difficult, dynamic analysis reveals the actual behaviour.

Debugger (dynamic)
Steps through a program instruction by instruction at runtime. Set breakpoints to pause execution at specific lines. Inspect variable values and memory state at each stop. Used by both defenders (analyse malware) and attackers (find exploitable weaknesses). Immunity Debugger and GDB can run dynamically as well as assist with static analysis.
Stress testing
Evaluates how software performs under extreme load — processor, memory, network, disk, or connections. Used to determine what conditions trigger a denial of service, discover capacity limits, and verify performance before production deployment. A web application stress tool simulates high concurrent traffic to find breaking points before real users do.

Fuzzing — sending random and unusual input

Fuzzing sends a running application random, malformed, or unexpected input to observe how it responds — looking for crashes, errors, or unexpected behaviour that reveals vulnerabilities like buffer overflows and input validation failures.

How fuzzing works
Send unexpected data to all input points — form fields, URL parameters, file uploads, protocol packets, HTTP headers. If a 16-digit credit card field crashes when given letters or special characters, that reveals an input validation failure. Fuzzing automates this systematic test of every input.
Dumb fuzzer
Sends semi-random input with no knowledge of valid input format. Simply tries anything. Effective for finding simple crashes and memory corruption bugs. Lower setup cost, lower signal quality. Also called "untargeted fuzzing."
Smart / targeted fuzzer
Sends inputs crafted around known vulnerability patterns, protocol specifications, or file format structures. Higher setup cost but more likely to find specific, exploitable vulnerabilities. Uses knowledge of expected input format to generate more effective attack payloads.
Peach Fuzzer
One of the most advanced commercial fuzzing platforms. Includes a community (free) edition. Provides pre-built test cases for network appliances, web applications, financial data, healthcare systems, and more. Used in industry by security researchers to find zero-day vulnerabilities.

Three fuzzing injection methods

Application UI
Targets input fields, form controls, and command-line switches that the application exposes to users. The most direct path — fuzz exactly what users can interact with.
Protocol manipulation
Sends malformed or modified network packets to the application's listening service. Modifies HTTP headers, payloads, or protocol-level fields. Tests network-facing attack surfaces.
File format manipulation
Uploads or opens malformed files — a file labelled as PNG that's actually an executable. Tests how the application handles unexpected file content, type confusion, and parsing edge cases.
4

Web Application Scanners — Nikto & Arachni

Web application scanners are specialised vulnerability testing tools designed for web servers and web applications. Unlike network vulnerability scanners (Nessus, Qualys) that focus on infrastructure, web application scanners detect XSS, SQL injection, directory traversal, clickjacking, and other web-specific vulnerabilities.

Nikto
Command-line web scanner
One of the most widely used open-source web application scanners. Identifies known web server vulnerabilities, misconfigurations, and running web applications with known vulnerabilities. Runs from the command line — output is text-based. Typical use: nikto -h <target_ip> -p <port>. Reports anti-clickjacking headers, XSS vulnerabilities, content-type errors, information leakage, and more.
Arachni
GUI web scanner
Open-source web scanner with a graphical user interface (similar in look to OpenVAS/Nessus). Actively tests: code injection, SQL injection, XSS, CSRF, local/remote file inclusion, session fixation, directory traversal, and more. Colour-coded severity output: red = most severe, blue/white = least severe. Better for analysts who prefer visual reports over command-line text.
5

Burp Suite — Interception Proxy & sqlmap

Burp Suite is a proprietary interception proxy and web application assessment tool. An interception proxy sits between the client (browser) and the server, capturing and optionally modifying all traffic in both directions — enabling analysis and manipulation of web application communications.

What Burp Suite does
Captures all HTTP/HTTPS traffic between browser and server. Allows viewing and modifying requests before they reach the server. Provides automated crawling, vulnerability scanning, and exploit injection. Comes pre-installed on Kali Linux and Parrot OS. Available as community (free) and professional (paid) versions. Runs on Windows, Linux, and Mac.
As an interception proxy
Configure the browser to use Burp as a proxy (localhost:8080). All browser requests now route through Burp. Burp captures the raw HTTP request including headers, cookies, and session tokens. You can inspect, modify, or forward the request. The response from the server also passes through Burp before reaching the browser.

Burp Suite + sqlmap workflow

Step 1 — Capture session data
Configure browser to proxy through Burp (127.0.0.1:8080). Submit a request to the vulnerable web application. Burp captures the HTTP request including the session cookie and PHP session ID. These are needed to authenticate the sqlmap attack as if it were your browser.
Step 2 — Run sqlmap
sqlmap -u <url> --cookie=<captured_cookie>. sqlmap automatically tests the URL parameter for SQL injection vulnerabilities. Identifies the database type (MySQL), injection methods (boolean-blind, time-blind, UNION), and collects server details (OS, Apache, PHP, MySQL versions).
Step 3 — Enumerate databases
--dbs lists all databases on the server. -D <dbname> --tables lists tables in a database. -T <tablename> --columns lists columns. --dump dumps table data including password hashes. sqlmap automatically attempts to crack common hashes using dictionary attacks.
Exam note — Burp Suite: You do not need to know how to operate Burp Suite for the CySA+ exam. Know: (1) it's an interception proxy, (2) it sits between client and server capturing/modifying traffic, (3) it performs automated web application vulnerability scanning, (4) it's used by security analysts and penetration testers for web app assessment. That level of understanding is sufficient.
6

OWASP ZAP — Open-Source Proxy & HUD Mode

OWASP ZAP (Zed Attack Proxy) is an open-source interception proxy and web application assessment tool written in Java. It is the free, community-maintained alternative to Burp Suite's commercial version. Because it's Java-based, it runs natively on Windows, Linux, and Mac.

Core capabilities
Automated crawling — discovers all links and content within a web application by following every link and form. Automated vulnerability scanning — uses configurable scan policies and plugins to detect injection, authentication, and other vulnerabilities. Spider mode indexes all pages so vulnerabilities can be tested across the entire site.
HUD Mode (Heads-Up Display)
Unique feature — displays alert indicators and scan tools directly overlaid on the web page inside your browser. Orange banner at top + alert counts visible in the browser toolbar. Allows real-time interaction with scan results while browsing the target site. Click alerts in the HUD to get details without leaving the browser.
ZAP vs. Burp Suite
Both are interception proxies with web application scanning capabilities. ZAP = free/open-source, Java-based, HUD mode, community maintained. Burp Suite = community (free) + professional (paid), more features in paid version, widely used by pen testers. For the exam: know both exist and what they do — don't need to know how to use either.
7

Tool Reference Summary

ToolCategoryKey facts for the exam
IDADisassembler / DecompilerInteractive disassembler — takes binary, produces assembly and pseudocode. Cross-platform. Most widely used reverse engineering tool. Has automated API call identification.
Immunity DebuggerDebuggerBuilt for penetration testers. Python API support for scripting. Used for exploit writing, malware analysis, binary reverse engineering. Preferred by pen testers over GDB.
GDBDebuggerGNU Debugger — open-source, cross-platform (Unix/Windows/Mac). Supports many languages. Text-based console — less user-friendly than Immunity Debugger. Still widely used.
SearchSploitExploit researchSearches the Exploit Database locally. Used alongside debuggers during malware analysis to look up what specific exploit code does. Not a debugger itself.
Peach FuzzerFuzzerAdvanced commercial fuzzer with free community edition. Pre-built test cases for web apps, network devices, healthcare, financial. Industry-standard fuzzing platform.
NiktoWeb app scannerOpen-source, command-line web vulnerability scanner. Identifies server misconfigurations, known web vulnerabilities, anti-clickjacking header gaps, XSS. Text output.
ArachniWeb app scannerOpen-source web scanner with GUI. Tests XSS, SQL injection, CSRF, LFI/RFI, directory traversal, session fixation. Colour-coded severity output. More user-friendly than Nikto.
Burp SuiteInterception proxyProprietary. Community (free) + professional (paid). Sits between browser and server, captures/modifies traffic. Automated scanning, crawling, exploit injection. Pre-installed on Kali/Parrot.
sqlmapSQL injection toolAutomates SQL injection exploitation. Used with Burp Suite to use captured cookies/session data. Can enumerate databases, tables, columns, and dump data including password hashes.
OWASP ZAPInterception proxyOpen-source, Java-based. Same core function as Burp Suite. Includes HUD mode — overlays alerts in the browser. Free alternative to Burp professional. Cross-platform.

Exam

Quick Reference Cheat Sheet

Software assessment methods
Static Code Analysis = review uncompiled source code (manual or automated tools). Code reviews: email, over-the-shoulder, paraprogramming. Automated tools ≠ substitute for human judgment — use both. Formal Verification = mathematical modelling for corner cases in safety-critical systems. UAT = beta testing by real end users (fit for purpose). Security Regression Testing = verify patches don't break existing security controls.
Reverse engineering ladder
Binary/Machine Code (48 89 32) → Disassembler → Assembly (movq %rsi, (%rdx)) → Decompiler → High-Level/Pseudocode (*dest = t). IDA = industry-standard disassembler AND decompiler. Obfuscator = randomises variable/function names, removes comments — malware writers use this to prevent analysis. All three code forms represent identical instructions.
Reverse engineering tools
IDA = interactive disassembler/decompiler, cross-platform, most popular. Immunity Debugger = built for pen testers, Python API, preferred over GDB. GDB = open-source GNU debugger, multi-language, text-based (less user-friendly). SearchSploit = searches Exploit Database locally for exploit code research — used alongside debuggers, not a debugger itself. All can be used for both offensive and defensive purposes.
Dynamic analysis
Executes the program and observes runtime behaviour. Debugger = step through instructions, set breakpoints, inspect variables. Stress testing = extreme load testing to find capacity limits and DoS conditions (processor/memory/network/disk). Fuzzing = sends random/malformed input to find crashes and input validation failures. Dumb fuzzer = semi-random input. Smart fuzzer = targeted by known patterns. 3 injection methods: UI, protocol, file format. Peach Fuzzer = advanced commercial platform.
Web application scanners
Nikto = open-source, command-line, scans for web server misconfigurations and known vulnerabilities. Detects missing X-Frame-Options headers, XSS, information leakage. Text output. Arachni = open-source, GUI, tests XSS/SQL injection/CSRF/LFI/RFI/directory traversal/session fixation. Colour-coded severity (red = most severe, white = least). Use web app scanners when target is a web application — Nessus/Qualys for infrastructure.
Burp Suite & sqlmap
Burp Suite = proprietary interception proxy + web app scanner. Community (free) + professional (paid). Pre-installed on Kali/Parrot. Configure browser → proxy through localhost:8080. Captures all HTTP traffic including cookies/session tokens. Works with sqlmap: capture cookie in Burp → feed to sqlmap → automated SQL injection → enumerate databases/tables/columns → dump data. Exam: know Burp = interception proxy + web scanner. Don't need to know HOW to use it.
OWASP ZAP
Zed Attack Proxy — open-source interception proxy. Written in Java = cross-platform (Windows/Linux/Mac). Free alternative to Burp Suite professional. Core features: automated crawling (discovers all pages/links), automated vulnerability scanning (scan policies + plugins), HUD Mode (Heads-Up Display = overlays alerts on your browser while you browse the target site). Exam: know ZAP = open-source interception proxy + web scanner. Same core function as Burp Suite.