Flashcards in Domain 6 - Security Assessment and Testing Deck (13):
These use many of the same techniques followed during security assessments but must be performed by independent auditors.
comprehensive reviews of the security of a system, application, or other tested environment.
These verify that a control is functioning properly.
These automatically probe systems, applications, and networks, looking for weaknesses that may be exploited by an attacker.
Name 3 types of vulnerability scans
network discovery scans, network vulnerability scans, and web application vulnerability scan
This evaluates the security of software without running i g t by analyzing either the source code or the compiled application.
This evaluates the security of software in a runtime environment and is often the only option for organizations deploying applications written by someone else. In those cases, testers often do not have access to the underlying source code.
A specialized dynamic testing technique that provides many different types of input to software to stress its limits and find previously undetected flaws.
Takes previous input values from actual operation of the software and manipulates (or mutates) it to create fuzzed input. It might alter the characters of the content, append strings to the end of the content, or perform other data manipulation techniques.
Mutation (Dumb) Fuzzing
Develops data models and creates new fuzzed input
based on an understanding of the types of data used by the program.
Generational (Intelligent) Fuzzing
Testing where team has no knowledge of the target other than what is publicly available. This simulates an external attack
Zero knowledge or Black box testing
Testing where team has limited knowledge of the organization.