Section 3 - Software Security Test Plan Flashcards

1
Q

What is the 3rd Phase of the SDL

A

Design and Development (A3)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

In A2 Architecture we perform a compliance review. In A3 what the next step is

A

Perform Policy Compliance Analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

For Security Test Planning which is method is best - Risk Based vs Requirements based

A

Neither. Both and they should augment them due to the challenges of software development

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the 3 security testing techniques

A

White Box - Source Code analysis, property-based, source code fault injection

Grey Box - has insight but uses Black Box - Source code fault injection, Dynamic code analysis

Black box - fuzzing, binary code analysis, Byte code analysis, vulnerability scanning and penetration testing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the Key Success Factors for 3rd Phase of SDL

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the deliverables of the 3rd Phase of SDL

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the types of Testing Strategy

A

Units Tests to Start

Integrated Tests

Systems Test - Alpha

Quality Assurance Tests - not on project team - Beta Testing

Production Testing - Penetration Testing and Vulnerability Testing -

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What type of testing would be using fault injection

A

Failure Testing

Test in a way if something with invalid input

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What type of testing is based on normal user activity and normal errors

A

Application Testing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What type of testing uses transactions, loads and stress testing

A

Capacity Testing

Attempt to overwhelm and break testing

Systems should fail secure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the testing when changes are made they do not effect other functions

A

Regression Testing

performance of database transactions

overwrite previous changes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

T or F Dynamic Testing is Black Box

A

True
that is functional testing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is Interactive Application Security Testing (IAST)

A

IAST
Enhancement to Dynamic or run time testing

Sensors monitor software operations

May integrated with software composition analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

T or F Static Testing is White Box

A

True

checking for back doors and other anomalies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

One key point for Peer Review

A

Independence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is a test methodology in which assessor under specific constraints, attempt to defeat the security

A

Penetration Testing

Vulnerability assessment are precursors to this

17
Q

What is the most common Penetration Testing when it comes to knowledge

A

Partial Knowledge - gives us an advantage to expedite tests

Zero Knowledge - allows us to look at bigger picture. Much more expensive

Full Knowledge - Red Team and they know everything

18
Q

What are the “Hats” in Security Testing

A

White Hat - Ethical Testing

Grey Hat - Semi Ethical & tolerated

Black Hat - Unauthorized

19
Q

Internal Awareness Options

A

Blind Test - for example a vulnerability scan without notice

Double Blind - Do not tell security team either

20
Q

Challenges with Cryptography

A

Lost Key
History
split knowledge

Cryptoperiod - expiration of keys

Hard Coded Credentials

21
Q

What type of testing tests the edges of what is allowed or not allowed.

A

Fuzzing

for example days of month such as 31st on all months.

Mutated data

22
Q

What type of testing is a simulation that works well with Web Application

A

Synthetic Testing

simulates the actions of the user

Enables faster detection of failed or compromised system

23
Q

What is the name for Certifications and Accreditation

A

Systems Authorization

24
Q

What is the next step in A4 (Design and Development) regarding compliance

A

This is the continuing effort to review and perform analysis on compliance requirements.

25
Q

What are the 4 steps in the Code Review Process

A

Identify Security Code Review Objectives

Perform Preliminary Scan

Review Code for Security Issues

Review for Security Issues Unique to the Architecture

26
Q

What is an ideal flow of activities for code review success

A

Threat Modeling
Code Reviews
Resolve Problems
Learn the Lesson

27
Q

T or F - there is no false positives in Fuzz Testing

A

True
every flaw is discovered as a result of a simulated attack

28
Q

What are the two types of Fuzz Testing

A

Smart - pushes data in logical ways due to in-depth knowledge

Dumb - system pushes data without waiting for response.

29
Q

What is the type of code testing that is done line-by-line inspection

A

Manual Code Review

most expensive

understand Control Flow - logical conditions vs

Data Flow Analysis

30
Q

What are the key success factors in the 4th phase of SDL

A

Security Testing Execution

Security Testing and Remediation

Privacy Validation and remediation

Policy Compliance Review

31
Q

What are the Deliverables in A4 of SDL

A

Security Test Execution Report

Updated Compliance Policy Analysis

Privacy Compliance Report

Security Testing Reports

Remediation Reports

32
Q
A