Domain 6 - Security Assessment and Testing Flashcards Preview

CISSP > Domain 6 - Security Assessment and Testing > Flashcards

Flashcards in Domain 6 - Security Assessment and Testing Deck (13):

These use many of the same techniques followed during security assessments but must be performed by independent auditors.

Security audits


comprehensive reviews of the security of a system, application, or other tested environment.

Security assessments


These verify that a control is functioning properly.

Security tests


These automatically probe systems, applications, and networks, looking for weaknesses that may be exploited by an attacker.

Vulnerability scans


Name 3 types of vulnerability scans

network discovery scans, network vulnerability scans, and web application vulnerability scan


This evaluates the security of software without running i g t by analyzing either the source code or the compiled application.

Static testing


This evaluates the security of software in a runtime environment and is often the only option for organizations deploying applications written by someone else. In those cases, testers often do not have access to the underlying source code.

Dynamic testing


A specialized dynamic testing technique that provides many different types of input to software to stress its limits and find previously undetected flaws.

Fuzz testing


Takes previous input values from actual operation of the software and manipulates (or mutates) it to create fuzzed input. It might alter the characters of the content, append strings to the end of the content, or perform other data manipulation techniques.

Mutation (Dumb) Fuzzing


Develops data models and creates new fuzzed input
based on an understanding of the types of data used by the program.

Generational (Intelligent) Fuzzing


Testing where team has no knowledge of the target other than what is publicly available. This simulates an external attack

Zero knowledge or Black box testing


Testing where team has limited knowledge of the organization.

Partial knowledge


Testing where team has full knowledge of the network operations. This type of testing often simulates an internal attack.

Full knowledge.