Security Assessment and Testing Domain

Question 1

2011 CWE/SANS Top 25 Most Dangerous Software Errors

Answer 1

A list of the most widespread and critical errors that can lead to serious vulnerabilities in software.

Question 2

Audit Records

Answer 2

Contain security event information such as successful and failed authentication attempts; file accesses; security policy changes; account changes; and use of privileges.

Question 3

Architecture Security Reviews

Answer 3

A manual review of the product architecture to ensure that it fulfills the necessary security requirements.

Question 4

Automated Vulnerability Scanners

Answer 4

Tests an application for the use of system components or configurations that are known to be insecure.

Question 5

Condition Coverage

Answer 5

This criteria requires sufficient test cases for each condition in a program decision to take on all possible outcomes at least once. It differs from branch coverage only when multiple conditions must be evaluated to reach a decision.

Question 6

Data Flow Coverage

Answer 6

This criteria requires sufficient test cases for each feasible data flow to be executed at least once.

Question 7

Decision (Branch) Coverage

Answer 7

Considered to be a minimum level of coverage for most software products; but decision coverage alone is insufficient for high-integrity applications.

Question 8

Information Security Continuous Monitoring (ISCM)

Answer 8

Maintaining ongoing awareness of information security; vulnerabilities; and threats to support organizational risk management decisions.

Question 9

Intrusion Detection Systems (IDS)

Answer 9

Real-time monitoring of events as they happen in a computer system or network; using audit trail records and network traffic and analyzing events to detect potential intrusion attempts.

Question 10

Intrusion Prevention Systems (IPS)

Answer 10

Any hardware or software mechanism that has the ability to detect and stop attacks in progress.

Question 11

Loop Coverage

Answer 11

This criteria requires sufficient test cases for all program loops to be executed for zero; one; two; and many iterations covering initialization; typical running; and termination (boundary) conditions.

Question 12

Misuse Case

Answer 12

A Use Case from the point of view of an Actor hostile to the system under design.

Question 13

Multi-Condition Coverage

Answer 13

This criteria requires sufficient test cases to exercise all possible combinations of conditions in a program decision.

Question 14

Negative Testing

Answer 14

Ensures the application can gracefully handle invalid input or unexpected user behavior.

Question 15

Path Coverage

Answer 15

This criteria requires sufficient test cases for each feasible path; basis path; etc.; from start to exit of a defined program segment; to be executed at least once.

Question 16

Positive Testing

Answer 16

Determines that your application works as expected.

Question 17

Real User Monitoring (RUM)

Answer 17

An approach to web monitoring that aims to capture and analyze every transaction of every user of a website or application.

Question 18

Regression Analysis

Answer 18

The determination of the impact of a change based on review of the relevant documentation.

Question 19

Security Log Management

Answer 19

The process for generating; transmitting; storing; analyzing; and disposing of computer security log data.

Question 20

Statement Coverage

Answer 20

This criteria requires sufficient test cases for each program statement to be executed at least once; however; its achievement is insufficient to provide confidence in a software product’s behavior.

Question 21

Static Source Code Analysis (SAST)

Answer 21

Analysis of the application source code for finding vulnerabilities without actually executing the application.

Question 22

Synthetic Performance Monitoring

Answer 22

Involves having external agents run scripted transactions against a web application.

Question 23

System Events

Answer 23

Operational actions performed by OS components; such as shutting down the system or starting a service.

Question 24

Threat Modeling

Answer 24

A process by which developers can understand security threats to a system; determine risks from those threats; and establish appropriate mitigations.

Question 25

Use Cases

Answer 25

Abstract episodes of interaction between a system and its environment.

Question 26

Validation

Answer 26

The determination of the correctness; with respect to the user needs and requirements; of the final program or software produced from a development project.

Question 27

Verification

Answer 27

The authentication process by which the biometric system matches a captured biometric against the person’s stored template.

Question 28

Vulnerability Management Software

Answer 28

Log the patch installation history and vulnerability status of each host; which includes known vulnerabilities and missing software updates.

Question 29

Web Proxies

Answer 29

Intermediate hosts through which websites are accessed.

Question 30

White-box Testing

Answer 30

A design that allows one to peek inside the “box” and focuses specifically on using internal knowledge of the software to guide the selection of test data.