Security Assessment and Testing Domain Flashcards
A design that allows one to peek inside the “box” and focuses specifically on using internal knowledge of the software to guide the selection of test data.
White-box Testing
Intermediate hosts through which websites are accessed
Web Proxies
Log the patch installation history and vulnerability status of each host, which includes known vulnerabilities and missing software updates.
Vulnerability Management Software
The authentication process by which the biometric system matches a captured biometric against the person’s stored template
Verification
The determination of the correctness, with respect to the user needs and requirements, of the final program or software produced from a development project.
Validation
Abstract episodes of interaction between a system and its environment
Use Cases
A process by which developers can understand security threats to a system, determine risks from those threats and establish appropriate mitigations
Threat Modeling
Operational actions performed by OS components, such as shutting down the system or starting a service
System Events
Involves having external agents run scripted transactions against a web application
Synthetic Performance Monitoring
Analysis of the application source code for finding vulnerabilities without actually executing the application
Static Source Code Analysis (SAST)
The process for generating, transmitting, storing, analyzing, and disposing of computer security log data.
Security Log Management
The determination of the impact of a change based on review of the relevant documentation
Regression Analysis
An approach to web monitoring that aims to caputre and analyze every transactions of every user of a website or application
Real User Monitoring (RUM)
Determines that your application works as expected
Positive Testing
Ensures the application can gracefully handle invalid input or unexpected user behavior
Negative Testing
Any hardware or software mechanism that has the ability to detect and stop attacks in progress
Intrusion Prevention Systems (IPS)
Real-time monitoring of events as they happen in a computer system or network, using audit trail records and network traffic and anlyzing events to detect potential intrusion attempts
Intrusion Detection Systems (IDS)
Maintain ongoing awareness of information security, vulnerabilities and threats to support organizational risk management decisions
Information Security Continuous Monitoring (ISCM)
Tests an application for the use of system components or configurations that are known to be insecure
Automated Vulnerability Scanners
A manual review of the product architecture to ensure that it fulfills the necessary security requirements
Architecture Security Reviews
Contain security event information such as successful and failed authentication attempts, file accesses, security policy changes, account changes, and use of privileges
Audit Records
A list of the most widespread and critical errors that can lead to serious vulnerabilities in software
2011 CWE/SANS Top 25 Most Dangerous Software Errors
A Use Case from the point of view of an Actor hostile to the system under design
Misuse Case
This criteria requires sufficient test cases for each program statement to be executed at least once; however, its achievement is insufficient to provide confidence in a software product’s behavior
Statement Coverage
