Section 3 - Software Security Test Plan

Question 1

What is the 3rd Phase of the SDL

Answer 1

Design and Development (A3)

Question 2

In A2 Architecture we perform a compliance review. In A3 what the next step is

Answer 2

Perform Policy Compliance Analysis

Question 3

For Security Test Planning which is method is best - Risk Based vs Requirements based

Answer 3

Neither. Both and they should augment them due to the challenges of software development

Question 4

What are the 3 security testing techniques

Answer 4

White Box - Source Code analysis, property-based, source code fault injection

Grey Box - has insight but uses Black Box - Source code fault injection, Dynamic code analysis

Black box - fuzzing, binary code analysis, Byte code analysis, vulnerability scanning and penetration testing.

Question 5

What are the Key Success Factors for 3rd Phase of SDL

Answer 5

Question 6

What are the deliverables of the 3rd Phase of SDL

Answer 6

Question 7

What are the types of Testing Strategy

Answer 7

Units Tests to Start

Integrated Tests

Systems Test - Alpha

Quality Assurance Tests - not on project team - Beta Testing

Production Testing - Penetration Testing and Vulnerability Testing -

Question 8

What type of testing would be using fault injection

Answer 8

Failure Testing

Test in a way if something with invalid input

Question 9

What type of testing is based on normal user activity and normal errors

Answer 9

Application Testing

Question 10

What type of testing uses transactions, loads and stress testing

Answer 10

Capacity Testing

Attempt to overwhelm and break testing

Systems should fail secure

Question 11

What is the testing when changes are made they do not effect other functions

Answer 11

Regression Testing

performance of database transactions

overwrite previous changes

Question 12

T or F Dynamic Testing is Black Box

Answer 12

True
that is functional testing

Question 13

What is Interactive Application Security Testing (IAST)

Answer 13

IAST
Enhancement to Dynamic or run time testing

Sensors monitor software operations

May integrated with software composition analysis

Question 14

T or F Static Testing is White Box

Answer 14

True

checking for back doors and other anomalies

Question 15

One key point for Peer Review

Answer 15

Independence

Question 16

What is a test methodology in which assessor under specific constraints, attempt to defeat the security

Answer 16

Penetration Testing

Vulnerability assessment are precursors to this

Question 17

What is the most common Penetration Testing when it comes to knowledge

Answer 17

Partial Knowledge - gives us an advantage to expedite tests

Zero Knowledge - allows us to look at bigger picture. Much more expensive

Full Knowledge - Red Team and they know everything

Question 18

What are the “Hats” in Security Testing

Answer 18

White Hat - Ethical Testing

Grey Hat - Semi Ethical & tolerated

Black Hat - Unauthorized

Question 19

Internal Awareness Options

Answer 19

Blind Test - for example a vulnerability scan without notice

Double Blind - Do not tell security team either

Question 20

Challenges with Cryptography

Answer 20

Lost Key
History
split knowledge

Cryptoperiod - expiration of keys

Hard Coded Credentials

Question 21

What type of testing tests the edges of what is allowed or not allowed.

Answer 21

Fuzzing

for example days of month such as 31st on all months.

Mutated data

Question 22

What type of testing is a simulation that works well with Web Application

Answer 22

Synthetic Testing

simulates the actions of the user

Enables faster detection of failed or compromised system

Question 23

What is the name for Certifications and Accreditation

Answer 23

Systems Authorization

Question 24

What is the next step in A4 (Design and Development) regarding compliance

Answer 24

This is the continuing effort to review and perform analysis on compliance requirements.

Question 25

What are the 4 steps in the Code Review Process

Answer 25

Identify Security Code Review Objectives

Perform Preliminary Scan

Review Code for Security Issues

Review for Security Issues Unique to the Architecture

Question 26

What is an ideal flow of activities for code review success

Answer 26

Threat Modeling
Code Reviews
Resolve Problems
Learn the Lesson

Question 27

T or F - there is no false positives in Fuzz Testing

Answer 27

True
every flaw is discovered as a result of a simulated attack

Question 28

What are the two types of Fuzz Testing

Answer 28

Smart - pushes data in logical ways due to in-depth knowledge

Dumb - system pushes data without waiting for response.

Question 29

What is the type of code testing that is done line-by-line inspection

Answer 29

Manual Code Review

most expensive

understand Control Flow - logical conditions vs

Data Flow Analysis

Question 30

What are the key success factors in the 4th phase of SDL

Answer 30

Security Testing Execution

Security Testing and Remediation

Privacy Validation and remediation

Policy Compliance Review

Question 31

What are the Deliverables in A4 of SDL

Answer 31

Security Test Execution Report

Updated Compliance Policy Analysis

Privacy Compliance Report

Security Testing Reports

Remediation Reports