Lecture 12 Flashcards
What is white box testing?
Pen testers are given a detailed amount of information about the company and systems they’re tasked with targeting. This may include basic credentials, source code, or other inside information.
What is black box testing?
Testers are only given the name of the targeted organization and must figure out how to break into systems with the same level of information that an outsider would have. Also referred to as ‘blind’ tests.
What is grey box testing?
Testers are given some amount of information and insights, perhaps incrementally if testing progress halts, in order to continue the assessment.
What is Red Team / Blue Team exercises?
A structured attack-defend exercise to test the incident response capabilities and preparedness of an organisation’s security team. The security team is the blue team and the pen testers and the red team.
Why you have the be careful about user input?
User/attacker owns the bits they can and will input anything and everything.
How do you handle user access?
Authentication, Session Management and access control.
How do you handle user input?
Input handling (Reject known bad => Black listing, Accept known good => White listing, sensitization, safe data handling, semantic checks). Boundary Validation. Multistep Validation,
How do you handle attackers?
Handling errors, Maintaining audit logs, alerting administrators and reacting to attacks.
