Application Security Buzzwords Flashcards
(30 cards)
What is SAST?
Static Application Security Testing
True or False: DAST is performed on a live application.
True
Which scanning method focuses on code analysis?
Static Application Security Testing (SAST)
What is the primary goal of ‘Threat Modeling’?
To identify potential security threats and vulnerabilities in an application by reviewing the way that it has been designed.
What does ‘OWASP’ stand for?
Open Worldwide Application Security Project (Formerly Open Web Application Security Project)
Multiple choice: Which of the following is NOT a common application security testing technique?
A) Penetration Testing B) Code Review C) Load Testing
C) Load Testing
The following are all vendors of what type of security testing?
Snyk, Semgrep, Veracode, SonarQube, and Checkmarx
Static Application Security Testing (SAST)
Fill in the blank: _______ is the practice of simulating attacks on an application to identify security weaknesses.
Penetration Testing
What is ‘Compliance Testing’?
Testing to ensure that an application meets specific regulatory and security standards (e.g. ISO27001 or SOC2).
True or False: Application security testing should only be done at the end of the development process.
False
Multiple choice: Which of the following is a common output of application security testing?
A) Code B) Vulnerabilities C) Patches
B) Vulnerabilities
What is the purpose of ‘Security Code Review’?
To manually inspect source code for security flaws.
Fill in the blank: _______ refers to the process of assessing an application’s security posture on an ongoing basis.
Continuous Security Testing
What does ‘Software Composition Analysis (SCA)’ do?
It identifies if third-party software with known vulnerabilities are used by applications
True or False: Security testing is only relevant for web applications.
False
What are ‘False Positives’ in the context of security testing?
Instances where a vulnerability scanner incorrectly identifies a vulnerability that does not exist.
Multiple choice: Which of the following tools is commonly used for SAST?
A) Burp Suite B) SonarQube C) Wireshark
B) SonarQube
What does ‘Exploitability’ refer to in application security?
The likelihood that a vulnerability can be successfully exploited.
Fill in the blank: _______ and _______ are two industry-standard systems for classifying vulnerabilities
CWEs and OWASP-Top-10
What is the difference between ‘Black Box Testing’ and ‘White Box Testing’?
Black Box Testing does not require knowledge of the internal workings of the application, while White Box Testing does.
True or False: Application security testing is a one-time activity.
False
What is ‘Security Automation’?
The use of software tools to automate security testing processes.
BurpSuite, ZAP (Zed Attack Proxy), Tenable, and AppCheck are all types of what?
DAST (Dynamic Application Security Testing) Tools
What is the SDLC?
Software Development Lifecycle: Describes the software development process inside a business
