Chapter 5 - Secure Software Testing Flashcards

1
Q

List software security testing standards.

A

ISO 9126
Open Source Security Testing Methodology Manual (OSSTMM)
System Security Engineering Capability Maturity Model (SSE-CMM)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the different kinds of reliability testing?

A

Unit
Integration
Logic
Regression

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the different kinds of recoverabiity testing?

A
  • Performance (Load, Stress)

* Scalability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the different types of resiliency testing, and what’s another name for it?

A
  • White box
  • Black box

Also called security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What other kinds of software QA testing are there besides reliability, recoverability, and resiliency?

A
  • Environment
  • Privacy
  • User acceptance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is reliability teting?

A

Functional testing. Does the software function as it is supposed to according to the requirements of the business owner.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Who conducts unit testing?

A

Typically developers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What does unit testing do?

A

Tests each part in isolation for build and compilation errors as well as functioal logic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are drivers and stubs in the software testing context?

A

Drivers are testing code that simulates a function’s caller.

Stubs are testing code simulates a called unit.

Both can be used to mock objects to remove testing dependencies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the benefits of unit testing?

A
  • Validate functional logic.
  • Find out inefficiencies, complexities, and vulnerabilities in code, as the code is tested after being isolated into units, as opposed to being integrated and tested as a whole.
  • Automate testing processes by integrating easily with automated build scripts and tools
  • Extend test coverage.
  • Enable collective code ownership in agile development.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is integration testing?

A

Aggregating multiple units of code together for testing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is logic testing?

A

Testing that validates the accuracy of the software processing logic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

When is logic testing most important?

A

When software has high cyclomatic complexity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What kind of testing tests predicates, and what are they?

A

Logic testing.

A predicate is something that is affirmed or denied of the subject in a proposition in logic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is regression testing? What is it’s other name?

A

Regression testing is testing that is performed to ensure that changes to software don’t reintroduce old defects.

Verification testing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the recommended method to perform regression testing?

A

Create a library of tests that includes a predefined set of tests to be conducted before the release of any new version.

These should always test boundary conditions and timing.

17
Q

Who usually performs regression testing?

A

QA teams.

18
Q

What is recoverability testing?

A

Performance or scalability testing to ensure that software will be available when required.

19
Q

What is the difference between load and stress testing?

A

Load testing determines software’s maximum capacity. Stress testing exceeds it, in part to determine if the software recovers gracefully.

20
Q

What is fuzzing?

A

A kind of software testing where random or pseudorandom input is injected and the behavior of the software under test observed.

21
Q

What does fuzzing test?

A

The effectiveness of input validation.

22
Q

What is synthesized fuzzing data?

A

Data that is generated from scratch without being based on previous input.

23
Q

What is mutated fuzzing data?

A

Data created from valid data, but corrupted so it’s not what the application expects.

24
Q

What is the difference between dumb and smart fuzzing?

A

Dumb fuzzing uses truly random data wihtout any consideration for data structure. Smart fuzzing uses data structure (encoding, checksums, etc).

25
Q

What is the difference between dumb and smart fuzzing?

A

Dumb fuzzing uses truly random data wihtout any consideration for data structure. Smart fuzzing uses data structure (encoding, checksums, etc).

26
Q

What is the differnece between static and dynamic software scanning?

A

Static scanning scans the source code for vulnerabilities. Dynamic scanning scans the software at runtime.

27
Q

What kinds of scans does PCI-DSS require?

A

Network, host, and applications in the card holder data environment.

28
Q

What is scaning used for?

A

Map the computing ecosystems, infrastructural, and application interfaces.

Identify server versions, open ports, and running services.

Inventory and validate asset management databases.

Identify patch levels.

Prove due diligence due care for compliance reasons.