Security Assessment & Testing

Question 1

A design that allows one to peek inside the “box” & focuses specifically on using internal knowledge of the software to guide the selection of test data.

Answer 1

White Box Testing

Question 2

Intermediate hosts through which websites are accessed.

Answer 2

Web Proxies

Question 3

Log the patch installation history & vulnerability status of each host, which includes known vulnerabilities & missing software updates.

Answer 3

Vulnerability Management Software

Question 4

The authentication process by which the biometric system matches a captured biometric against the person’s stored template.

Answer 4

Verification

Question 5

The determination of the correctness, with respect to the user needs & requirements, of the final program or software produced from a development project.

Answer 5

Validation

Question 6

Abstract episodes of interaction between a system & its environment.

Answer 6

Use Cases

Question 7

A process by which developers can understand security threats to a system, determine risks from those threats, & establish appropriate mitigation.

Answer 7

Threat Modeling

Question 8

Operational actions performed by OS components, such as shutting down the system or starting a service.

Answer 8

System Events

Question 9

Involves having external agents run scripted transactions against a web application.

Answer 9

Synthetic Performance Monitoring

Question 10

Analysis of the application source code for finding vulnerabilities without actually executing the application.

Answer 10

Static Source Code Analysis (SAST)

Question 11

Criteria requires sufficient test cases for each program statement to be executed at least once; however, its achievement is insufficient to provide confidence in a software product’s behavior.

Answer 11

Statement Coverage

Question 12

The process for generating, transmitting, storing, analyzing, & disposing of computer security log data.

Answer 12

Security Log Management

Question 13

The determination of the impact of a change based on review of the relevant documentation.

Answer 13

Regression Analysis

Question 14

An approach to web monitoring that aims to capture & analyze every transaction of every user of a website or application.

Answer 14

Real User Monitoring (RUM)

Question 15

Determines that your application works as expected.

Answer 15

Positive Testing

Question 16

This criteria requires sufficient test cases for each feasible path, basic path, etc. from start to exist of a defined program segment, to be executed at least once.

Answer 16

Path Coverage

Question 17

Ensures the application can gracefully handle invalid input or unexpected or unexpected user behavior.

Answer 17

Negative Testing

Question 18

Criteria requires sufficient test cases to exercise all possible combinations of conditions in a program decision.

Answer 18

Multi-Condition Coverage

Question 19

A Use Case from the POV of an Actor hostile to the system under design.

Answer 19

Misuse Case

Question 20

Criteria requires sufficient test cases for all program loops to be executed for zero, one, two & many iterations covering initialization, typical running, & termination (boundary) conditions.

Answer 20

Loop Coverage

Question 21

Any hardware or software mechanism that has the ability to detect & stop attacks in progress.

Answer 21

Intrusion Prevention System (IPS)

Question 22

Real-time monitoring of events as they happen in a computer system or network, using audit trail records & network traffic & analyzing events to detect potential intrusion attempts.

Answer 22

Intrusion Detection System (IDS)

Question 23

Maintaining ongoing awareness of information security, vulnerabilities, & threats to support organizational risk management decisions.

Answer 23

Information Security Continuous Monitoring (ISCM)

Question 24

Considered to be a minimum level of coverage for most software products but decision coverage alone is insufficient for high-integrity applications.

Answer 24

Decision (Branch) Coverage

Question 25

Criteria requires sufficient test cases for each feasible data flow to be executed at least once.

Answer 25

Data Flow Coverage

Question 26

Criteria requires sufficient test cases for each condition in a program decision to take on all possible outcomes at least once. It differs from Branch Coverage only when multiple conditions must be evaluated to reach a decision.

Answer 26

Condition Coverage

Question 27

Tests an application for the use of system components or configurations that are known to be insecure.

Answer 27

Automated Vulnerability Scanners

Question 28

A manual review of the product architecture to ensure that is fulfills the necessary requirements.

Answer 28

Architecture Security Review

Question 29

Contain security event information such as successful & failed authentication attempts, file accesses, security policy changes, account changes, & use of privileges.

Answer 29

Audit Records