Domain 6 Flash Cards

Question 1

Attack surface

Answer 1

Different security testing methods find different vulnerability types.

Question 2

Artifact

Answer 2

piece of evidence such as text, or a reference to a resource which is submitted in response to a question

Question 3

Assessment

Answer 3

testing or evaluation of controls to understand which are implemented correctly, operating as intended and producing the desired outcome in meeting the security or privacy requirements of a system or org

Question 4

Audit

Answer 4

process of reviewing a system for compliance against a standard or baseline (e.g. audit of security controls, baselines, financial records) can be formal and independent, or informal/internal

Question 5

Black box testing

Answer 5

Testing where no internal details of the system implementation are used.

Question 6

Condition coverage

Answer 6

This criteria requires sufficient test cases for each condition in a program decision to take on all possible outcomes at least once. It differs from branch coverage only when multiple conditions must be evaluated to reach a decision.

Question 7

Covert security testing

Answer 7

Performed to simulate the threats that are associated with external adversaries. While the security staff has no knowledge of the covert test, the organization management is fully aware and consents to the test

Question 8

Chaos Engineering

Answer 8

discipline of experiments on a software system in production to build confidence in the system’s capabilities to withstand turbulent/unexpected conditions

Question 9

Code testing suite

Answer 9

usually used to validate function, statement, branch and condition coverage

Question 10

Compliance Calendar

Answer 10

tracks an org’s audits, assessments, required filings, due dates and related

Question 11

Compliance Tests

Answer 11

an evaluation that determines if an org’s controls are being applied according to management policies and procedures

Question 12

Data flow coverage

Answer 12

This criteria requires sufficient test cases for each feasible data flow to be executed at least once.

Question 13

Decision (Branch) coverage

Answer 13

Considered to be a minimum level of coverage for most software products, but decision coverage alone is insufficient for high-integrity applications.

Question 14

Dynamic testing

Answer 14

When the system under test is executed and its behavior is observed.

Question 15

Ethical Penetration Testing/Penetration Testing

Answer 15

security testing and assessment where testers actively attempt to circumvent/defaut a system’s security features; typically constrained by contracts to stay within specified Rules of Engagement (RoE)

Question 16

Examination

Answer 16

process of reviewing/inspecting/observing/studying/analyzing specs/mechanisms/activities to understand, clarify, or obtain evidence

Question 17

Findings

Answer 17

results created by the application of an assessment procedure

Question 18

Functional order of controls

Answer 18

deter, deny, detect, delay, deterimine, and decide

Question 19

IAM system

Answer 19

identity and access management system combines lifecycle management and monitoring tools to ensure that identity and authorization are properly handled throughout an org

Question 20

ITSM

Answer 20

IT Service Management tools include change management and associated approval tracking

Question 21

Judgement Sampling

Answer 21

AKA purposive or authoritative sampling, a non-probability sampling technique where members are chosen only on the basis of the researcher’s knowledge and judgement

Question 22

Loop coverage

Answer 22

This criteria requires sufficient test cases for all program loops to be executed for zero, one, two, and many iterations covering initialization, typical running, and termination (boundary) conditions.

Question 23

Misuse case

Answer 23

A Use Case from the point of view of an Actor hostile to the system under design. Attempting to lead to integrity failures, malfunctions, or other security or safety compromises

Question 24

Multi condition coverage

Answer 24

This criteria requires sufficient test cases to exercise all possible combinations of conditions in a program decision.

Question 25

Mutation testing

Answer 25

mutation testing modifies a program in small ways and then tests that mutant to determine if it behaves as it should or if it fails; technique is used to design and test software through mutation

Question 26

Negative testing

Answer 26

Ensures the application can gracefully handle invalid input or unexpected user behavior.

Question 27

Overt security testing

Answer 27

Overt testing can be used with both internal and external testing. When used from an internal perspective, the bad actor simulated is an employee of the organization.

Question 28

Path coverage

Answer 28

This criteria requires sufficient test cases for each feasible path, basis path, etc., from start to exit of a defined program segment, to be executed at least once.

Question 29

Positive testing

Answer 29

Determines that your application works as expected.

Question 30

Plan of Action and Milestones (POA&M)

Answer 30

a document identifying tasks to be accomplished, including details, resources, milestones, and completion target dates

Question 31

Real user monitoring (RUM)

Answer 31

An approach to web monitoring that aims to capture and analyze every transaction of every user of a website or application. Passive monitoring technique that records user interation with an app or system to ensure performance and proper app behavior; often used as a predeploymment process using the actual user interface

Question 32

RoE Rules of Engagement

Answer 32

set of rules/constraints/boundaries that establish limits of participant activity; in ethical pen testing, an RoE defines the scope of testing, and to establish liability limits for both testers and the sponsoring org or system owners

Question 33

Statement coverage

Answer 33

This criterion requires sufficient test cases for each program statement to be executed at least once; however, its achievement is insufficient to provide confidence in a software product’s behavior.

Question 34

Static source code analysis
(SAST)

Answer 34

Analysis of the application source code for finding vulnerabilities without executing the application.

Question 35

Synthetic performance
monitoring

Answer 35

Involves having external agents run scripted transactions against a web application.

Question 36

SCF Script Check Engine

Answer 36

is designed to make scripts interoperable with security policy definitions

Question 37

Statistical Sampling

Answer 37

process of selecting subsets of examples from a population with the objective of estimating properties of the total population

Question 38

Substantive Test

Answer 38

testing technique used by an auditor to obtain the audit evidence in order to support the auditor’s opinion

Question 39

Threat modeling

Answer 39

A process by which developers can understand security threats to a system, determine risks from those threats, and establish appropriate mitigations. Threat modeling
Change management
Configuration management

Question 40

Testing

Answer 40

process of exercising one or more assessment objects (activities or mechanisms) under specified conditions to compare actual to expected behavior

Question 41

Trust Services Criteria (TSC)

Answer 41

used by an auditor when evaluating the suitability of the design and operating effectiveness of controls relevant to the security, availabiliity, or processing integrity of information and systems or the confidentiality or privacy of the info processed by the entity