Security Testing Flashcards
Define Security Testing…
A systematic process for identifying vulnerabilities in systems.
What are the 2 types of testing? Define each…
Static : source code analysis
Dynamic : Security tool analyses the output of the program.
Define how each type of testing is done manually and automatically?
Static Manual : Manual source code review.
Static Automated : Tool to analyse the source code.
Dynamic Manual : Manually analyse the output of the program given an input.
Dynamic Automated : Use software to review program output.
Explain True Positive Notation
True = Tool is correct
False = Tool is wrong
Positive = Vulnerability found
Negative = Vulnerability not found
What is the ideal outcome of True Positive notation?
The tool outputs 100% True Positive and True Negative.
What are 2 issues that many tools have?
High False Positive : Many minor bugs are raised, causing unecessary debugging for developers.
High False Negative : The tool is wrong and doesn’t report bugs, hence they go unnoticed.
What is the differing perspectives of developers and security experts when it comes to True Positive notation?
Developers : Want zero false positives to avoid unecessary debugging.
Security Experts : Want zero false negatives so all bugs are accounted for (better safe than sorry).
What is the SAST process?
Parse source code; Analyse the parsed code; Ouput the report.
What is SAST looking for?
Local Issues such as insecure functions or secrets in code.
Data flow issues such as XSS and secrets in code.
What is the sweet spot of SAST?
Analysing generic defects in the code such as buffer overflow.
What type of defects and where does SAST look for them?
Generic and context specific defects.
Look in code and architecture.
What are type checks a common cause of?
False negative and false positive.
What is the difference betweens Style Checks and Type Checks?
Type checks : Check types at compile time.
Style checks: Check syntax and semantics.
What is fuzzing?
The generation of a large set of test input data.
What are some issues with fuzzing?
Does input fit criteria?
Did we get enough coverage?
Is response a bug or not?