Flashcards in Security Assessment & Testing Deck (29):
A design that allows one to peek inside the "box" & focuses specifically on using internal knowledge of the software to guide the selection of test data.
White Box Testing
Intermediate hosts through which websites are accessed.
Log the patch installation history & vulnerability status of each host, which includes known vulnerabilities & missing software updates.
Vulnerability Management Software
The authentication process by which the biometric system matches a captured biometric against the person's stored template.
The determination of the correctness, with respect to the user needs & requirements, of the final program or software produced from a development project.
Abstract episodes of interaction between a system & its environment.
A process by which developers can understand security threats to a system, determine risks from those threats, & establish appropriate mitigation.
Operational actions performed by OS components, such as shutting down the system or starting a service.
Involves having external agents run scripted transactions against a web application.
Synthetic Performance Monitoring
Analysis of the application source code for finding vulnerabilities without actually executing the application.
Static Source Code Analysis (SAST)
Criteria requires sufficient test cases for each program statement to be executed at least once; however, its achievement is insufficient to provide confidence in a software product's behavior.
The process for generating, transmitting, storing, analyzing, & disposing of computer security log data.
Security Log Management
The determination of the impact of a change based on review of the relevant documentation.
An approach to web monitoring that aims to capture & analyze every transaction of every user of a website or application.
Real User Monitoring (RUM)
Determines that your application works as expected.
This criteria requires sufficient test cases for each feasible path, basic path, etc. from start to exist of a defined program segment, to be executed at least once.
Ensures the application can gracefully handle invalid input or unexpected or unexpected user behavior.
Criteria requires sufficient test cases to exercise all possible combinations of conditions in a program decision.
A Use Case from the POV of an Actor hostile to the system under design.
Criteria requires sufficient test cases for all program loops to be executed for zero, one, two & many iterations covering initialization, typical running, & termination (boundary) conditions.
Any hardware or software mechanism that has the ability to detect & stop attacks in progress.
Intrusion Prevention System (IPS)
Real-time monitoring of events as they happen in a computer system or network, using audit trail records & network traffic & analyzing events to detect potential intrusion attempts.
Intrusion Detection System (IDS)
Maintaining ongoing awareness of information security, vulnerabilities, & threats to support organizational risk management decisions.
Information Security Continuous Monitoring (ISCM)
Considered to be a minimum level of coverage for most software products but decision coverage alone is insufficient for high-integrity applications.
Decision (Branch) Coverage
Criteria requires sufficient test cases for each feasible data flow to be executed at least once.
Data Flow Coverage
Criteria requires sufficient test cases for each condition in a program decision to take on all possible outcomes at least once. It differs from Branch Coverage only when multiple conditions must be evaluated to reach a decision.
Tests an application for the use of system components or configurations that are known to be insecure.
Automated Vulnerability Scanners
A manual review of the product architecture to ensure that is fulfills the necessary requirements.
Architecture Security Review