Domain 6: Security Assessment and Testing

Question 1

Penetration Testing Methodology

Answer 1

1 • Planning
2 • Reconnaissance
3 • Scanning (also called enumeration)
4 • Vulnerability assessment
5 • Exploitation
6 • Reporting

Question 2

Static Testing

Answer 2

Test the code passively; the code is not running. This
includes walkthroughs, syntax checking, and code reviews.

Question 3

Static Testing

Answer 3

Test the code passively; the code is not running. This
includes walkthroughs, syntax checking, and code reviews.

Question 4

Dynamic Testing

Answer 4

Tests the code while executing it.

Question 5

White Box Software Testing

Answer 5

Gives the tester access to program source code, data structures, variables, etc.

Question 6

Black Box Testing

Answer 6

Gives the tester no internal details: the software is treated as a black box that receives inputs.

Question 7

Traceability Matrix (sometimes called a Requirements Traceability Matrix, or RTM)

Answer 7

Can be used to map customer’s requirements to the software testing plan: it “traces” the “requirements,” and ensures that they are being met.

Question 8

Fuzzing (Fuzz Testing)

Answer 8

A type of black box testing that enters random, malformed data as inputs into software programs to determine if they will crash.

Question 9

Combinatorial Software Testing

Answer 9

A black-box testing method that seeks to identify and test all unique combinations of software inputs.

Question 10

Misuse Case (Negative) Testing

Answer 10

Designed to assess how a system or application responds to unexpected inputs or situations, and identifies vulnerabilities which might be exploitable under these unexpected circumstances.

Question 11

Abuse Cases

Answer 11

A specification of a deliberate, harmful interaction between a user and a system. They are often used to identify security requirements by specifying the ways a system could be abused by a malicious actor and are an integral part of threat modeling.

Question 12

Unit Testing

Answer 12

Low-level tests of software components, such as
functions, procedures or objects.

Question 13

Installation Testing

Answer 13

Testing software as it is installed and first operated.

Question 14

Integration Testing

Answer 14

Testing multiple software components as they are combined into a working system. Subsets may be tested, or Big Bang integration testing tests all integrated software components.

Question 15

Regression Testing

Answer 15

Testing software after updates, modifications, or patches.

Question 16

Acceptance Testing

Answer 16

Testing to ensure the software meets the customer’s operational requirements. When this testing is done directly by the customer, it is called User Acceptance Testing.

Question 17

Test Coverage Analysis & Four Main Criteria

Answer 17

The number of functions in a system or application that are tested and can be expressed as a percentage of the total system that has been tested or a specific number of things tested, such as functions or modules. Four main criteria:
• Branch coverage ensures that each branch in a control statement has been executed.
• Condition coverage requires each Boolean expression in the code to be validated for both true and false conditions.
• Function coverage makes sure that every function in the program is called.
• Statement coverage validates the execution of every statement in the program