Chapter 5 - Secure Software Testing

Question 1

List software security testing standards.

Answer 1

ISO 9126
Open Source Security Testing Methodology Manual (OSSTMM)
System Security Engineering Capability Maturity Model (SSE-CMM)

Question 2

What are the different kinds of reliability testing?

Answer 2

Unit
Integration
Logic
Regression

Question 3

What are the different kinds of recoverabiity testing?

Answer 3

• Performance (Load, Stress)

* Scalability

Question 4

What are the different types of resiliency testing, and what’s another name for it?

Answer 4

• White box
• Black box

Also called security

Question 5

What other kinds of software QA testing are there besides reliability, recoverability, and resiliency?

Answer 5

• Environment
• Privacy
• User acceptance

Question 6

What is reliability teting?

Answer 6

Functional testing. Does the software function as it is supposed to according to the requirements of the business owner.

Question 7

Who conducts unit testing?

Answer 7

Typically developers.

Question 8

What does unit testing do?

Answer 8

Tests each part in isolation for build and compilation errors as well as functioal logic.

Question 9

What are drivers and stubs in the software testing context?

Answer 9

Drivers are testing code that simulates a function’s caller.

Stubs are testing code simulates a called unit.

Both can be used to mock objects to remove testing dependencies.

Question 10

What are the benefits of unit testing?

Answer 10

• Validate functional logic.
• Find out inefficiencies, complexities, and vulnerabilities in code, as the code is tested after being isolated into units, as opposed to being integrated and tested as a whole.
• Automate testing processes by integrating easily with automated build scripts and tools
• Extend test coverage.
• Enable collective code ownership in agile development.

Question 11

What is integration testing?

Answer 11

Aggregating multiple units of code together for testing.

Question 12

What is logic testing?

Answer 12

Testing that validates the accuracy of the software processing logic.

Question 13

When is logic testing most important?

Answer 13

When software has high cyclomatic complexity.

Question 14

What kind of testing tests predicates, and what are they?

Answer 14

Logic testing.

A predicate is something that is affirmed or denied of the subject in a proposition in logic.

Question 15

What is regression testing? What is it’s other name?

Answer 15

Regression testing is testing that is performed to ensure that changes to software don’t reintroduce old defects.

Verification testing.

Question 16

What is the recommended method to perform regression testing?

Answer 16

Create a library of tests that includes a predefined set of tests to be conducted before the release of any new version.

These should always test boundary conditions and timing.

Question 17

Who usually performs regression testing?

Answer 17

QA teams.

Question 18

What is recoverability testing?

Answer 18

Performance or scalability testing to ensure that software will be available when required.

Question 19

What is the difference between load and stress testing?

Answer 19

Load testing determines software’s maximum capacity. Stress testing exceeds it, in part to determine if the software recovers gracefully.

Question 20

What is fuzzing?

Answer 20

A kind of software testing where random or pseudorandom input is injected and the behavior of the software under test observed.

Question 21

What does fuzzing test?

Answer 21

The effectiveness of input validation.

Question 22

What is synthesized fuzzing data?

Answer 22

Data that is generated from scratch without being based on previous input.

Question 23

What is mutated fuzzing data?

Answer 23

Data created from valid data, but corrupted so it’s not what the application expects.

Question 24

What is the difference between dumb and smart fuzzing?

Answer 24

Dumb fuzzing uses truly random data wihtout any consideration for data structure. Smart fuzzing uses data structure (encoding, checksums, etc).

Question 25

What is the difference between dumb and smart fuzzing?

Answer 25

Dumb fuzzing uses truly random data wihtout any consideration for data structure. Smart fuzzing uses data structure (encoding, checksums, etc).

Question 26

What is the differnece between static and dynamic software scanning?

Answer 26

Static scanning scans the source code for vulnerabilities. Dynamic scanning scans the software at runtime.

Question 27

What kinds of scans does PCI-DSS require?

Answer 27

Network, host, and applications in the card holder data environment.

Question 28

What is scaning used for?

Answer 28

Map the computing ecosystems, infrastructural, and application interfaces.

Identify server versions, open ports, and running services.

Inventory and validate asset management databases.

Identify patch levels.

Prove due diligence due care for compliance reasons.