Domain 6 -Security Assessment and Testing

Question 1

Network attacks may leverage

Answer 1

client-side attacks, server-side attacks, or Web application attacks.

Question 2

A security audit

Answer 2

is a test against a published standard

Question 3

security assessment

Answer 3

may include other distinct tests, such as penetration tests. The goal is to broadly cover many other specific tests, to ensure that all aspects of access control are considered

Question 4

Synthetic transactions

Answer 4

involves building scripts or tools that simulate activities normally performed in an application

Question 5

Unit Testing

Answer 5

tests of software components, such as functions, procedures or objects

Question 6

Installation Testing

Answer 6

Testing software as it is installed and first operated

Question 7

Integration Testing

Answer 7

Testing multiple software components as they are combined into a working system. Subsets may be tested, or Big Bang integration testing tests all integrated software components

Question 8

Regression Testing:

Answer 8

Testing software after updates, modifications, or patches

Question 9

Acceptance Testing

Answer 9

testing to ensure the software meets the customer’s operational requirements. When this testing is done directly by the customer, it is called User Acceptance Testing.

Question 10

Combinatorial software testing

Answer 10

is a black-box testing method that seeks to identify and test all unique combinations of software inputs. An example of combinatorial software testing is pairwise testing (also called all pairs testing).

Question 11

Misuse Case Testing

Answer 11

formally model, again most likely using UML, how security impact could be realized by an adversary abusing the application. This can be seen simply as a different type of use case, but the reason for calling out misuse case testing specifically is to highlight the general lack of considering attacks against the application.

Question 12

Test or code coverage analysis

Answer 12

attempts to identify the degree to which code testing applies to the entire application. The goal is to ensure there are no significant gaps where a lack of testing could allow for bugs or security issues to be present that otherwise should have been discovered.

Question 13

Interface Testing

Answer 13

Traditional interface testing within applications is primarily concerned with appropriate functionality being exposed across all the ways users can interact with the application

Question 14

misuse case

Answer 14

whether an intentional misuse of them could result in an error that subverts the confidentiality, integrity, and availability of the data the app provides access to

Question 15

Second-party audits

Answer 15

are typically performed by external parties, in order to give business partners the assurance that the entity being audited is living up to the terms of contractual agreements between the two with respect to due care and due diligence in the handling of the business partner’s assets.

Question 16

Third-party audits

Answer 16

are commonly performed as part of an entity’s requirements to satisfy regulatory compliance with respect to systems processing information deemed to be in the public interest.

Question 17

tabletop exercises (TTXs)

Answer 17

is to examine existing controls and response procedures to the manifestation of a likely threat, to ensure that everyone who would be involved knows their role and that the resulting outcome across multiple contingencies would be what is desired. Branches in activities are typically explored to some degree, based on cascading dependencies, as well as sequels to the scenario under discussion.

Question 18

Checklist test

Answer 18

copies of the disaster recovery or business continuity procedures are distributed to all stakeholders for review, in order to ensure that no necessary materials or steps are omitted.