Security Testing

Question 1

what is the difference between white and black box testing?

Answer 1

white box: all manufacturers knowledge available

black box: no insider knowledge

Question 2

why should you test?

Answer 2

to uncover security-related defects

Question 3

what techniques to test are there?

Answer 3

• creation of input, edge cases, sequence of events

- modification of execution environment

Question 4

what are the levels of vulnerability analysis

Answer 4

• survey
• analysis
• focused analysis
• methodical analysis
• advanced methodical analysis

Question 5

what is done in a vulnerability survey?

Answer 5

• survey of public information to determine vulnerabilites in a product
• only vulnerabilites that are known and easy to find
• perform own tests assuming basic attack potential

Question 6

what is done in a vulnerability analysis?

Answer 6

• Requires functional specification for security mechanisms

- Evaluator performs own tests assuming Basic attack potential

Question 7

how much time does vulnerability analysis consume?

Answer 7

In evaluationsoften50% ofeffort

Question 8

what is done in focused vulnerability analysis?

Answer 8

• Requires sourcecode at least for security
  mechanisms
  -Evaluator performs own tests assuming Enhanced-Basic attack potential

Question 9

what is done in methodical vulnerability analysis?

Answer 9

• Same prerequisites as focused vulnerability analysis

- Evaluator performs own tests assuming Moderate attack potential

Question 10

what is done in advanced methodical vulnerability analysis?

Answer 10

-Evaluator performs own tests assuming High attack potential