Attack Surface Validation (Security Testing)

Question 1

Security Testing goal

Answer 1

Security testing is conducted to attest to the presence and effectiveness of the security controls that are designed and implemented in the software.

Question 2

Security testing can address two of the three aspects

of crime

Answer 2

It can do little about the motive of an attacker, but the opportunities and means by which an attacker can exploit the software can be determined by security testing.

Question 3

Security testing purpose

Answer 3

Security testing is testing with an attacker perspective to validate the ability of the software to withstand attack (resiliency);

Question 4

Testing security functionality

Answer 4

Testing security functionality (authentication mechanisms, auditing capabilities, error handling, etc.) in software is meant to assure that the functionality of protection mechanisms are working properly.

Question 5

Security testing can validate controls such as

Answer 5

Fail secure mechanisms, proper error and exception handling, etc. and working properly to resume its functional operations as per the customer’s MTD and RTO.

Question 6

White Box Testing

Answer 6

A security testing methodology that is performed based on the knowledge of how the software is designed and implemented.

Question 7

White Box Testing can be performed

Answer 7

At any time post development of code, although it is best advised to do so while conducting unit tests.

Question 8

Inputs to the white box testing method include

Answer 8

Architectural and design documents, source code, configuration information and files, use and misuse
cases, test data, test environments and security specifications.

Question 9

The output of a white box test includes

Answer 9

Defects (or incidents), flaws and deviations from design specifications, change requests and recommendations to address security issues.

Question 10

Black Box Testing

Answer 10

Black box testing is behavioral analysis of the software’s security. Black box testing is the opposite
of that. It is broadly known as zero knowledge assessment, because the tester has very limited to no knowledge of the internal working of the software being tested.

Question 11

The software is essentially viewed as a “black box” that is tested for

Answer 11

Its resiliency by determining how it responds (outputs) to the tester’s input.

Question 12

Black box testing can be performed

Answer 12

Before deployment (pre-deployment) or periodically once it is deployed (post-deployment).

Question 13

Black box objective when performed in pre-deployment stage

Answer 13

To identify and address security vulnerabilities proactively, so that the risk of the software getting hacked is minimized.

Question 14

Black box objective when performed in post-deployment stage

Answer 14

To find out vulnerabilities that exist in the deployed production (or actual runtime environment); to attest the presence and effectiveness of the software security controls and protection mechanisms.

Question 15

Black box testing is performed using different tools.

Answer 15

Fuzzing; scanning; penetration testing.

Question 16

Benefit of black box testing

Answer 16

Attest the exploitability of weaknesses in both simulated and actual production systems; there is no
need for source code and the test can be conducted both before (pre) and after (post) deployment;

Question 17

The limitation of black box testing is that

Answer 17

The exact cause of vulnerability may not be easily detectable and the test coverage itself can be limited to the scope of the assessment.

Question 18

Different criteria that can be used to determine the type of approach to take when validating software security are

Answer 18

Root Cause Identification, Extent of Code Coverage, Number of False Positives and False Negatives, Logical Flaws Detection, Deployment Issues Determination.

Question 19

Cryptographic validation testing includes the following attestation

Answer 19

Standards Conformance; Environment Validation; Data Validation; Cryptographic Implementation.

Question 20

FIPS 140-2

Answer 20

It specifies the security requirements that will be satisfied by a cryptographic module, providing four increasing, qualitative levels intended to cover a wide range of potential applications and environments.

Question 21

Network scans are performed with the goal of

Answer 21

Mapping out the computing ecosystem. It helps
determine the devices, fingerprint operating system, identify active services (daemons), determine open/closed ports, find used protocols and interfaces,
detect webserver versions, etc. that make up the environment in which the software will run.

Question 22

Active OS fingerprinting

Answer 22

Active OS fingerprinting involves the sending of crafted, abnormal packets to the remote host and analyzing the responses from the remote host (e.g. NMAP tool).

Question 23

Passive OS fingerprinting

Answer 23

Passive OS fingerprinting does not contact the remote host. It captures traffic originating from a host on the network and analyzes the packets (e.g. Siphon and P0f tools).

Question 24

Banner grabbing can be used for legitimate purposes but …

Answer 24

Banner grabbing can be used for legitimate purposes such as for inventorying the systems and services on the network, but an attacker can use banner grabbing to identify network hosts that have vulnerable services running on them.

Question 25

Scanning can be used to

Answer 25

Map the computing ecosystems, infrastructural and application interfaces; identify server versions, open ports and running services; inventory and validate asset management databases; identify patch levels; prove due diligence due care for compliance reasons..

Question 26

The three primary types of scanning include:

Answer 26

Scanning for vulnerabilities, scanning content for threats and scanning for assuring privacy.

Question 27

Vulnerability Scanning

Answer 27

When scanning is performed with the goal of detecting and identifying security flaws and weaknesses in the software and/or network.

Question 28

Software scanning - static

Answer 28

Static scanning includes scanning the source code for vulnerabilities, it is usually performed during the code review process in the development phase.

Question 29

Software scanning - dynamic

Answer 29

The software is scanned when the software is running i.e., in an operational runtime. Dynamic scanning is performed using crawlers and spidering tools during the testing phase of the SDLC.

Question 30

Content scanning technologies

Answer 30

Analyze the content within the document (web pages, files, etc.) for malicious content that can exploit unprotected systems.

Question 31

Content scanning can analyze

Answer 31

Some content scanners are capable of even analyzing the traffic that is transmitted over secure channels like SSL/ TLS and when doing so, they function more or less like a MITM proxy, by capturing encrypted traffic, decrypting it, and analyzing it and re-encrypting it
before retransmission.

Question 32

Privacy scanning

Answer 32

Privacy scanning is starting to become the norm instead of the exception it used to be a decade ago, due to privacy regulations that mandate the protection of private (personal) information.

Question 33

Penetration testing main objective

Answer 33

To see if the network and software assets can be compromised by exploiting the vulnerabilities that were determined by the scans.

Question 34

The rules of engagement defines

Answer 34

The scope of the penetration test for the testing team,

irrespective of whether they are internal team or an external security service provider.

Question 35

NIST SP 800-115

Answer 35

Provides guidance on conducting penetration testing.

Question 36

OSSTMM

Answer 36

The Open Source Security Testing Methodology
Manual (OSSTMM) covered in the secure software concepts chapter is known for its prescriptive guidance on the activities that need to be performed before, during and after a penetration test, including the measurement of results.

Question 37

Generically the pen-testing process includes the following steps

Answer 37

(i) Reconnaissance (Enumeration and Discovery); (ii) Resiliency Attestation (Attack and Exploitation); (iii) Removal of Evidence (Cleanup activities) and Restoration; (iv) Reporting and Recommendations.

Question 38

Fuzz testing definition

Answer 38

It is a brute force type of software testing in which faults (random and pseudo-random input data) are injected into the software and its behavior observed.

Question 39

Fuzz testing can detect

Answer 39

To find coding defects and security bugs that can result in buffer overflows that cause remote code
execution, unhandled exceptions and hanging threads that cause DoS, state machine logic faults and buffer boundary checking defects.

Question 40

White box fuzzing and black box fuzzing objectives

Answer 40

In black box fuzzing, the software is sent fuzz data
and the symptoms and behavior of the software is analyzed (there is no guarantee that all actual code paths were covered as part of this type of test). White box fuzzing is sending fuzz data with verification of all code paths.

Question 41

The main shortcoming of Generation-Based Fuzzing (Smart Fuzzing)

Answer 41

Fuzzing is based on known formats and structures and so test coverage for new or proprietary protocols is limited or non-existent.

Question 42

Mutation-Based Fuzzing (Dumb Fuzzing) concerns

Answer 42

This can be dangerous leading to denial of service, destruction and complete disruption of the software’s operations, and so it is recommended to perform dumb fuzzing in a simulated environment as opposed to the production environment.

Question 43

Input Validation can effectively reduced what type of attacks

Answer 43

Buffer overflows, Injection flaws, scripting attacks, etc. can be effectively reduced if the software just performs validation of input before accepting it for processing.

Question 44

In a Client/Server environment, where is recommended to perform the input validation tests?

Answer 44

Input validation tests for both the client and the server, however in case you have to choose, make sure that validation of input happens on the server
side for sure.

Question 45

When Smart fuzzing can be used

Answer 45

When the input format is known, otherwise dumb fuzzing using random and pseudo-random inputs values can be used to attest the effective of input
validation.

Question 46

In order to perform input validation tests, it is first important to determine the sources of input and the events in which the software will connect to the backend store or command environment. Describe the sources of inputs:

Answer 46

Authentication forms, search input fields, hidden fields in web pages, Querystrings in the URL address bar and more.

Question 47

Other tests that need to be performed to avoid to injection attacks.

Answer 47

Parameterized queries that are not susceptible to injection themselves are used; Dynamic query construction is disallowed; Error messages and exceptions are explicitly handled; Non-essential procedures and statements are removed from the
database; …

Question 48

Scripting attacks are possible when user supplied input is

Answer 48

executed on the client because of lack of output sanitization.

Question 49

Tests to validate controls that mitigate scripting attacks should be performed such as:

Answer 49

Output is sanitized by escaping or encoding the input before it is sent to the client; Requests and inputs are validated using a current and contextually relevant whitelist; Scripts cannot be injected into input sources or the response; Only valid files with approved extensions are allowed to be uploaded; Secure libraries and safe browsing settings cannot be circumvented; State management items such as cookies are not accessible from client side code or script.

Question 50

To address testing for Non-repudiation Controls

Answer 50

Test cases should validate that audit trails can accurately determine the actor and their actions. It must also ensure that misuse cases generate auditable trails appropriately as well.

Question 51

NIST Special Publication 800-92

Answer 51

Guidance on the protection of audit trails and the management of security logs.

Question 52

Network spoofing attacks include

Answer 52

Address Resolution Protocol (ARP) poisoning, IP address spoofing and Media Access Control (MAC) address spoofing.

Question 53

Testing the spoofability of the user and/or certificate along with verifying the presence of transport layer security can attest

Answer 53

secure communication and protection against Man-in-the-middle (MITM) attacks.

Question 54

Testing for Spoofing Controls should cover

Answer 54

User and certificate spoofing tests along with phishing tests and verification of code that allows impersonation of other identities; Cookie expiration testing along with verifying that authentication cookies are encrypted.

Question 55

Software security failure testing includes the verification of the following security principles

Answer 55

Fail Secure (Fail safe); Error and Exception Handling; Testing for Buffer Overflow Controls.

Question 56

Fail Secure (Fail safe) Tests should verify

Answer 56

Any authentication processes; the proper functioning of account lockout mechanisms and denying access by default.

Question 57

Errors and Exception handling tests include

Answer 57

testing the messaging and encapsulation of error details.

Question 58

Error and Exception Handling should verify

Answer 58

when the software fails; error messages must be checked to make sure that they do not reveal any details that are not necessary; exceptions are handled and the details are encapsulated using user-defined messages and redirects must be performed; assure
that the reference identifier mapping to the actual error or exception is protected.

Question 59

White box testing for overflow defense includes verifying

Answer 59

the input is sanitized and its size validated; bounds checking of memory allocation is performed; conversion of data types from one are explicitly performed; banned and unsafe APIs are not used; code is compiled with compiler switches that protect the stack and/or randomize address space layout.

Question 60

Testing for elevated privileges or privilege escalation purpose

Answer 60

To verify that the user or process cannot get access to more resources or functionality than they are allowed to.

Question 61

Insecure direct object reference design flaws and coding bugs with complete mediation can lead to privilege escalation, so the following must be checked

Answer 61

Parameter manipulation checks need to be conducted to verify that privileges cannot be escalated; In web
applications both POST (Form) and GET (QueryString) parameters need to be checked.

Question 62

Tests to assure anti-reversing should cover

Answer 62

Testing to validate the presence of obfuscated code is important; Binary analysis testing can be used to check if symbolic (class names, class member names, names of instantiated global objects, etc.) and textual information that will be useful to a reverse engineering is removed from the program executable; White box testing can be used to verify the presence of code that
detects and prevents debuggers by terminating the executing program flow.