Application Security Buzzwords Flashcards
What is SAST?
Static Application Security Testing
True or False: DAST is performed on a live application.
True
Which scanning method focuses on code analysis?
Static Application Security Testing (SAST)
What is the primary goal of ‘Threat Modeling’?
To identify potential security threats and vulnerabilities in an application by reviewing the way that it has been designed.
What does ‘OWASP’ stand for?
Open Worldwide Application Security Project (Formerly Open Web Application Security Project)
Multiple choice: Which of the following is NOT a common application security testing technique?
A) Penetration Testing B) Code Review C) Load Testing
C) Load Testing
The following are all vendors of what type of security testing?
Snyk, Semgrep, Veracode, SonarQube, and Checkmarx
Static Application Security Testing (SAST)
Fill in the blank: _______ is the practice of simulating attacks on an application to identify security weaknesses.
Penetration Testing
What is ‘Compliance Testing’?
Testing to ensure that an application meets specific regulatory and security standards (e.g. ISO27001 or SOC2).
True or False: Application security testing should only be done at the end of the development process.
False
Multiple choice: Which of the following is a common output of application security testing?
A) Code B) Vulnerabilities C) Patches
B) Vulnerabilities
What is the purpose of ‘Security Code Review’?
To manually inspect source code for security flaws.
Fill in the blank: _______ refers to the process of assessing an application’s security posture on an ongoing basis.
Continuous Security Testing
What does ‘Software Composition Analysis (SCA)’ do?
It identifies if third-party software with known vulnerabilities are used by applications
True or False: Security testing is only relevant for web applications.
False
What are ‘False Positives’ in the context of security testing?
Instances where a vulnerability scanner incorrectly identifies a vulnerability that does not exist.
Multiple choice: Which of the following tools is commonly used for SAST?
A) Burp Suite B) SonarQube C) Wireshark
B) SonarQube
What does ‘Exploitability’ refer to in application security?
The likelihood that a vulnerability can be successfully exploited.
Fill in the blank: _______ and _______ are two industry-standard systems for classifying vulnerabilities
CWEs and OWASP-Top-10
What is the difference between ‘Black Box Testing’ and ‘White Box Testing’?
Black Box Testing does not require knowledge of the internal workings of the application, while White Box Testing does.
True or False: Application security testing is a one-time activity.
False
What is ‘Security Automation’?
The use of software tools to automate security testing processes.
BurpSuite, ZAP (Zed Attack Proxy), Tenable, and AppCheck are all types of what?
DAST (Dynamic Application Security Testing) Tools
What is the SDLC?
Software Development Lifecycle: Describes the software development process inside a business
Why are Business Logic Flaws difficult to detect through automation?
They require an understanding of how the application is intended to behave, so that ways to circumvent this can be identified
Who are CREST?
A governing body that accredits penetration testing companies, including Cytix
Who are the two market leaders in Cloud hosting?
AWS (Amazon Web Services) and Azure
The words “Agile”, “Sprint”, and “SCRUM” are used by what team inside a business?
The development team, to describe processes for fast-paced development
What is the difference between a CVE and a CWE
A CVE is a publicly-disclosed instance of a vulnerability in a specific piece of software
A CWE is standardised way of classifying particular types of vulnerability
STRIDE, DREAD, and PASTA are all methodologies for what?
Threat Modelling
