Section 3 - Software Security Test Plan Flashcards
What is the 3rd Phase of the SDL
Design and Development (A3)
In A2 Architecture we perform a compliance review. In A3 what the next step is
Perform Policy Compliance Analysis
For Security Test Planning which is method is best - Risk Based vs Requirements based
Neither. Both and they should augment them due to the challenges of software development
What are the 3 security testing techniques
White Box - Source Code analysis, property-based, source code fault injection
Grey Box - has insight but uses Black Box - Source code fault injection, Dynamic code analysis
Black box - fuzzing, binary code analysis, Byte code analysis, vulnerability scanning and penetration testing.
What are the Key Success Factors for 3rd Phase of SDL
What are the deliverables of the 3rd Phase of SDL
What are the types of Testing Strategy
Units Tests to Start
Integrated Tests
Systems Test - Alpha
Quality Assurance Tests - not on project team - Beta Testing
Production Testing - Penetration Testing and Vulnerability Testing -
What type of testing would be using fault injection
Failure Testing
Test in a way if something with invalid input
What type of testing is based on normal user activity and normal errors
Application Testing
What type of testing uses transactions, loads and stress testing
Capacity Testing
Attempt to overwhelm and break testing
Systems should fail secure
What is the testing when changes are made they do not effect other functions
Regression Testing
performance of database transactions
overwrite previous changes
T or F Dynamic Testing is Black Box
True
that is functional testing
What is Interactive Application Security Testing (IAST)
IAST
Enhancement to Dynamic or run time testing
Sensors monitor software operations
May integrated with software composition analysis
T or F Static Testing is White Box
True
checking for back doors and other anomalies
One key point for Peer Review
Independence