Domain 6 - Security assessment and testing Flashcards
Static testing
we passively test the code, we do not run it
Dynamic testing
we tests code while executing it
Fuzzing
a black box testing that submits random, malformed data as inputs into software programs to determine if they will crash
Penetration Testing or white hat hacking
we pay someone to test our security by trying to compromise our safeguards. This is testing both our organization’s physical and logical perimeter
Synthetic Transactions/Monitoring
building scripts or tools that simulate normal user activity in an application
is PCI-DSS a law
no, its a standard for entities that issue or handle credit cards. The Industry agreed upon the standards
HIPAA is what
Health Insurance Portability and Accountability Act of 1996. its a Health Information Privacy Law
is HIPAA a law
Yes - its a law to protect your personal identifiable information and your personal health information
the difference between SOC 2 type 1 and type 2
type 2 reports the effectiveness of the controls over time
SOC 2 type 1 definition
report of management’s description of a service organization’s system and the suitability of the design of controls
In software testing, component interface testing would test what?
A: process and security alerts when encountering errors
B: data handling passed between different units and subsystems
C: the functionality of a specific section of code
D: interfaced between components against the software design
B:
Explanation
Component interface testing: Testing can be used to check the handling of data passed between various units, or subsystem components, beyond full integration testing between those units.
At the end of our software development project, we are doing interface testing. What are we testing?
all interfaces exposed by the application
Penetration testers have found a vulnerability on some of our switches. The vulnerability is an exploitable, who would patch the switch?
The network team
Explanation
Penetration testers are only there to provide a report, they don’t fix or alter anything. As the security team we do not update switches, that is the responsibility of the networking team.
One of the distinct phases of software testing is installation testing. What are we testing in this phase?
Installation testing: Assures that the system is installed correctly and working at actual customer’s hardware.
Prior to an external structured audit, we would often do an ‘unstructured’ audit. Who would perform that?
Unstructured audits: Internal auditors to improve our security and find flaws, often done before an external audit.
In our software testing we are doing, “unit testing”, what are we testing?
Tests that verify the functionality of a specific section of code
Penetration Testing (Pen Testing) have very clear rules of engagement defined in a SOW (Statement Of Work)
Which IP ranges, time frame, tools, POC (point of contact), how to test, what to test.
We are doing different types of audits in our organization. Who would perform a structured audit?
External Auditors
Which phase could a penetration tester go to after they are finished with one of the “System browsing” phases?
Discovery
Install additional tools
What could a vulnerability scan possibly help us find?
outdated software, missing patches and system misconfiguration
We have hired a penetration testing company to find security flaws in our organization. They are at the enumeration phase, what are they doing?
scanning
Pen testing phases
Planning
Reconnaissance
Scanning (enumeration)
Vulnerability assessment
Exploitation
Reporting.
What would be the PRIMARY reason we use a specific server for storing our centralized logs, and only giving our administrators limited access?
to ensure the logs integrity
We have hired a penetration tester, and she has been given partial knowledge of our organization and infrastructure. Which access level would that emulate?
A: an administrator
B: a senior executive
C: a manager
D: a normal employee
D: a normal employee
Explanation
Gray (Grey) box (Partial Knowledge) Pentesting: The attacker has limited knowledge; is a normal user, vendor, or someone with limited environment knowledge.
