Domain 6 -Security Assessment and Testing Flashcards
Network attacks may leverage
client-side attacks, server-side attacks, or Web application attacks.
A security audit
is a test against a published standard
security assessment
may include other distinct tests, such as penetration tests. The goal is to broadly cover many other specific tests, to ensure that all aspects of access control are considered
Synthetic transactions
involves building scripts or tools that simulate activities normally performed in an application
Unit Testing
tests of software components, such as functions, procedures or objects
Installation Testing
Testing software as it is installed and first operated
Integration Testing
Testing multiple software components as they are combined into a working system. Subsets may be tested, or Big Bang integration testing tests all integrated software components
Regression Testing:
Testing software after updates, modifications, or patches
Acceptance Testing
testing to ensure the software meets the customer’s operational requirements. When this testing is done directly by the customer, it is called User Acceptance Testing.
Combinatorial software testing
is a black-box testing method that seeks to identify and test all unique combinations of software inputs. An example of combinatorial software testing is pairwise testing (also called all pairs testing).
Misuse Case Testing
formally model, again most likely using UML, how security impact could be realized by an adversary abusing the application. This can be seen simply as a different type of use case, but the reason for calling out misuse case testing specifically is to highlight the general lack of considering attacks against the application.
Test or code coverage analysis
attempts to identify the degree to which code testing applies to the entire application. The goal is to ensure there are no significant gaps where a lack of testing could allow for bugs or security issues to be present that otherwise should have been discovered.
Interface Testing
Traditional interface testing within applications is primarily concerned with appropriate functionality being exposed across all the ways users can interact with the application
misuse case
whether an intentional misuse of them could result in an error that subverts the confidentiality, integrity, and availability of the data the app provides access to
Second-party audits
are typically performed by external parties, in order to give business partners the assurance that the entity being audited is living up to the terms of contractual agreements between the two with respect to due care and due diligence in the handling of the business partner’s assets.
Third-party audits
are commonly performed as part of an entity’s requirements to satisfy regulatory compliance with respect to systems processing information deemed to be in the public interest.
tabletop exercises (TTXs)
is to examine existing controls and response procedures to the manifestation of a likely threat, to ensure that everyone who would be involved knows their role and that the resulting outcome across multiple contingencies would be what is desired. Branches in activities are typically explored to some degree, based on cascading dependencies, as well as sequels to the scenario under discussion.
Checklist test
copies of the disaster recovery or business continuity procedures are distributed to all stakeholders for review, in order to ensure that no necessary materials or steps are omitted.
