Software Security Testing

Question 1

A measure of the system’s ability to protect data and information from unauthorized access while still providing access to people and systems that are authorized

Answer 1

Security

Question 2

An action taken against a computer system with the intention of doing harm is called an ____

Answer 2

Attack

Question 3

CIA approach to security

Answer 3

• Confidentiality
• Integrity
• Availability

Question 4

What are other security characteristics?

Answer 4

• Authentication
• Nonrepudiation
• Authorization

Question 5

Data or services are protected from unauthorized access

Answer 5

Confidentiality

Question 6

Data or services are not subject to unauthorized manipulation

Answer 6

Integrity

Question 7

The system will be available for legitimate use

Answer 7

Availability

Question 8

Verifies the identities of the parties to a transaction and checks if they are truly who they claim to be

Answer 8

Authentication

Question 9

Guarantees that the sender of a message cannot later deny having sent the message, and that the recipient cannot deny having received the message

Answer 9

Nonrepudiation

Question 10

Grants a user the privileges to perform a task

Answer 10

Authorization

Question 11

Human or another system which may have been previously certified (either correctly or incorrectly) or may be currently unknown. A human attacker may be from outside the organization or from inside the organization

Answer 11

Source

Question 12

Unauthorized attempt is made to display data, change or delete data, access system services, change the system’s behavior, or reduce availability

Answer 12

Stimulus

Question 13

T/F Software design reviews can evaluate security

Answer 13

T

Question 14

T/F Data flows (and therefore data flow diagrams) can not be used for security analysis

Answer 14

F, they can

Question 15

T/F Reused and off-the-shelf software components should meet the same security requirements as new software

Answer 15

T

Question 16

T/F Construction languages and their implementations (for example, compilers) are not serious contributors to security vulnerabilities

Answer 16

F

Question 17

Special form of random testing aimed at breaking the software often used for security testing

Answer 17

Fuzz testing

Question 18

T/F Security, in terms of access control and the backup facilities, is a key aspect of library management

Answer 18

T

Question 19

Builds security in software by following a set of established and/or recommended rules and practices in software development

Answer 19

Secure software development

Question 20

T/F A generally accepted view concerning software security is that it is much better to design security into software than to patch it in after software is developed

Answer 20

T

Question 21

T/F Security faults and loopholes can be and often are introduced during maintenance

Answer 21

T

Question 22

Deals with the clarification and specification of security policy and objectives into software requirements

Answer 22

Software requirements security

Question 23

Specific functions that are required for the sake of security

Answer 23

Software requirements

Question 24

Possible ways that the security of software is threatened

Answer 24

Threats/risks

Question 25

What type of requirements are security requirements?

Answer 25

“Shall not” requirements

Question 26

T/F It is possible to define this unwanted behavior as simple constraints to be checked by the system

Answer 26

F

Question 27

T/F It is impossible to prove that a system does not do something

Answer 27

T

Question 28

Can you derive requirements for an unknown type of attack?

Answer 28

No

Question 29

Deals with the design of software modules that fit together to meet the security objectives specified in the security requirements

Answer 29

Software design security

Question 30

T/F Factors considered may include frameworks and access modes that set up the overall security monitoring/enforcement strategies, as well as the individual policy enforcement mechanisms

Answer 30

T

Question 31

Concerns the question of how to write actual programming code for specific situations such that security considerations are taken care of

Answer 31

Software construction security

Question 32

T/F When an error occurs, the program should restore the state of the software to the state it had before the process began, and then terminate

Answer 32

T

Question 33

T/F The error status of every function does not need to be checked

Answer 33

F

Question 34

Should your program share objects in memory with any other program?

Answer 34

No

Question 35

Security concerns during software development may necessitate one or more software processes to protect the security of the development environment and reduce the risk of malicious acts

Answer 35

Adding security processes

Question 36

Evaluate the degree to which a test item and its associated data are protected so that unauthorized persons or systems cannot use, read, or modify them and authorized persons or systems are granted required access to them

Answer 36

Security testing

Question 37

T/F Security requirements are concerned with the ability to protect the data and functionality of a test item from unauthorized users and malicious use

Answer 37

T

Question 38

Involves attempted access to a test item (including
its functionality and/or private data) by a tester that is
mimicking the actions of an unauthorized user

Answer 38

Penetration testing

Question 39

Involves attempted access to private data and verification of the audit trail (i.e., trace) that is left behind when users access private data

Answer 39

Privacy testing

Question 40

A type of static testing in which a tester inspects, reviews, or walks through the requirements and code of a test item to determine whether any security vulnerabilities are present

Answer 40

Security auditing

Question 41

Involves the use of automated testing tools to scan a

test item for signs of specific known vulnerabilities

Answer 41

Vulnerability scanning