Domain 6 - Security Assessment and Testing Flashcards Preview

CISSP > Domain 6 - Security Assessment and Testing > Flashcards

Flashcards in Domain 6 - Security Assessment and Testing Deck (13):
1

These use many of the same techniques followed during security assessments but must be performed by independent auditors.

Security audits

2

comprehensive reviews of the security of a system, application, or other tested environment.

Security assessments

3

These verify that a control is functioning properly.

Security tests

4

These automatically probe systems, applications, and networks, looking for weaknesses that may be exploited by an attacker.

Vulnerability scans

5

Name 3 types of vulnerability scans

network discovery scans, network vulnerability scans, and web application vulnerability scan

6

This evaluates the security of software without running i g t by analyzing either the source code or the compiled application.

Static testing

7

This evaluates the security of software in a runtime environment and is often the only option for organizations deploying applications written by someone else. In those cases, testers often do not have access to the underlying source code.

Dynamic testing

8

A specialized dynamic testing technique that provides many different types of input to software to stress its limits and find previously undetected flaws.

Fuzz testing

9

Takes previous input values from actual operation of the software and manipulates (or mutates) it to create fuzzed input. It might alter the characters of the content, append strings to the end of the content, or perform other data manipulation techniques.

Mutation (Dumb) Fuzzing

10

Develops data models and creates new fuzzed input
based on an understanding of the types of data used by the program.

Generational (Intelligent) Fuzzing

11

Testing where team has no knowledge of the target other than what is publicly available. This simulates an external attack

Zero knowledge or Black box testing

12

Testing where team has limited knowledge of the organization.

Partial knowledge

13

Testing where team has full knowledge of the network operations. This type of testing often simulates an internal attack.

Full knowledge.