Security Assessment and Testing Domain

Question 1

A design that allows one to peek inside the “box” and focuses specifically on using internal knowledge of the software to guide the selection of test data.

Answer 1

White-box Testing

Question 2

Intermediate hosts through which websites are accessed

Answer 2

Web Proxies

Question 3

Log the patch installation history and vulnerability status of each host, which includes known vulnerabilities and missing software updates.

Answer 3

Vulnerability Management Software

Question 4

The authentication process by which the biometric system matches a captured biometric against the person’s stored template

Answer 4

Verification

Question 5

The determination of the correctness, with respect to the user needs and requirements, of the final program or software produced from a development project.

Answer 5

Validation

Question 6

Abstract episodes of interaction between a system and its environment

Answer 6

Use Cases

Question 7

A process by which developers can understand security threats to a system, determine risks from those threats and establish appropriate mitigations

Answer 7

Threat Modeling

Question 8

Operational actions performed by OS components, such as shutting down the system or starting a service

Answer 8

System Events

Question 9

Involves having external agents run scripted transactions against a web application

Answer 9

Synthetic Performance Monitoring

Question 10

Analysis of the application source code for finding vulnerabilities without actually executing the application

Answer 10

Static Source Code Analysis (SAST)

Question 11

The process for generating, transmitting, storing, analyzing, and disposing of computer security log data.

Answer 11

Security Log Management

Question 12

The determination of the impact of a change based on review of the relevant documentation

Answer 12

Regression Analysis

Question 13

An approach to web monitoring that aims to caputre and analyze every transactions of every user of a website or application

Answer 13

Real User Monitoring (RUM)

Question 14

Determines that your application works as expected

Answer 14

Positive Testing

Question 15

Ensures the application can gracefully handle invalid input or unexpected user behavior

Answer 15

Negative Testing

Question 16

Any hardware or software mechanism that has the ability to detect and stop attacks in progress

Answer 16

Intrusion Prevention Systems (IPS)

Question 17

Real-time monitoring of events as they happen in a computer system or network, using audit trail records and network traffic and anlyzing events to detect potential intrusion attempts

Answer 17

Intrusion Detection Systems (IDS)

Question 18

Maintain ongoing awareness of information security, vulnerabilities and threats to support organizational risk management decisions

Answer 18

Information Security Continuous Monitoring (ISCM)

Question 19

Tests an application for the use of system components or configurations that are known to be insecure

Answer 19

Automated Vulnerability Scanners

Question 20

A manual review of the product architecture to ensure that it fulfills the necessary security requirements

Answer 20

Architecture Security Reviews

Question 21

Contain security event information such as successful and failed authentication attempts, file accesses, security policy changes, account changes, and use of privileges

Answer 21

Audit Records

Question 22

A list of the most widespread and critical errors that can lead to serious vulnerabilities in software

Answer 22

2011 CWE/SANS Top 25 Most Dangerous Software Errors

Question 23

A Use Case from the point of view of an Actor hostile to the system under design

Answer 23

Misuse Case

Question 24

This criteria requires sufficient test cases for each program statement to be executed at least once; however, its achievement is insufficient to provide confidence in a software product’s behavior

Answer 24

Statement Coverage

Question 25

This criteria requires sufficient test cases for each feasible path, basis path, etc., from start to exit of a defined program segment, to be executed at least once

Answer 25

Path Coverage

Question 26

This criteria requires sufficient test cases to exercise all possible combinations of conditions in a program decision

Answer 26

Multi-Condition Coverage

Question 27

This criteria requires sufficient test cases for all program loops to be executed for zero, one, two, and many iterations covering intialization, typical running, and termination (boundary) conditions

Answer 27

Loop Coverage

Question 28

Considered to be a minimum level of coverage for most software products, but decision coverage alone is insufficient for high-integrity applications

Answer 28

Decision (Branch) Coverage

Question 29

This criteria requires sufficient test cases for each feasible data flow to be executed at least once

Answer 29

Data Flow Coverage

Question 30

This criteria requires sufficient test cases from each condition in a program decision to take on all possible outcomes at least once. It differs from branch coverage only when multiple conditions must be evaluated to reach a decision

Answer 30

Condition Coverage