Security Testing

Question 1

Software Testing

Connectivity

Vulnerability

Security Testing

Answer 1

Software Testing: Software Evaluation against (Functional/Non-functional) Requirements.

Connectivity: e.g., Cloud Computing, Location-based Services

Vulnerability: A weakness of an asset or group of assets that can be exploited by one or more threats

Security Testing: Software Evaluation against Security Requirements

Question 2

Static Testing

Dynamic Testing

Test Suite

Answer 2

Static Testing: Review software development artifacts without executing them

Dynamic Testing: Execute and Verify Software against expected behaviours from a finite set of Test Cases

Test Suite = A finite set of test cases

Question 3

Test Case Execution

Answer 3

Verdict: Pass / Fail / Inclusive
Failure: an undesired behaviour
Fault: the cause of the failure

Question 4

Security functional testing

Security vulnerability testing

Answer 4

Security functional testing: To validate intended security functionality

Security vulnerability testing: To identify unintended system vulnerabilities

Question 5

Exploitation

Attack

Answer 5

Exploitation: malicious input/steps to make use of a vulnerability

Attack: perform an exploitation to violate related security property of an asset

Question 6

Model-Based Testing (MBT)

Answer 6

Automatic and systematic generation of test cases from models of systems under test and their environments

Question 7

MBT Benefits

Answer 7

Better documentation of test cases

The ability to automatically generate useful tests and measure and optimize test coverage

Higher test quality through model-based quality analysis

Shorter schedules and lower costs

Question 8

Model-Based Security Testing (MBST)

Answer 8

Input Models:
Attacker models: attackers’ targets, capabilities and steps

Vulnerability models: Weakness encoding in system models

Properties models: Asset not-to-be-violated security properties (CIA) encoding in system models

Question 9

Abstract Test Cases (ATC)

Answer 9

ATC = A sequence of Attack Actions.

ATC Execution = Execute every attack action in order.

Successful Execution/Attack = All attack actions are successfully executed.

Failed Execution/Attack = All attack actions are successfully executed.

An ATC passes if its execution is not successful.

An ATC fails if its execution is successful.

Question 10

Coded-Base Security Testing (CBST)

Answer 10

To detect vulnerabilities by examining the source code.

Input: Source code (non-executable system under test)

Approaches: Manual vs Automatic

Question 11

Manual Code Review

Answer 11

Expert to read source code line-by-line

Steps:
To understand attack surfaces
To review code
To report the result

Question 12

Static Application Security Testing
(SAST)

Answer 12

Syntactic checks: e.g., calling insecure APIs, using insecure configuration options

Semantic checks: using models of data flow and/or control flow.
E.g., SQL Injection vulnerability due to an unsanitised data flow
from input to a SQL statement.

Question 13

Penetration Testing

Answer 13

To mimic real-world attacks on real systems and data.

To use tools and techniques commonly used by attackers.

To avoid the security features.

To seek combinations of vulnerabilities on one or more systems to gain more access

Question 14

Pen-Testing Pros

Answer 14

Pen-testing helps determine:

The system tolerance under real-world attacks.

The level of sophistication an attacker needs.

Additional countermeasures to mitigate threats.

Defenders’ ability to detect and respond to attacks

Question 15

Pen-Testing Cons

Answer 15

Labour intensive.

Require great expertise.

Cause SUT (or even relevant systems) damaged or inoperative.

Need careful consideration, notification and planning

Question 16

Fuzz Testing

Answer 16

To stress system under test with unexpected inputs and data structures through external interfaces