Security Assessment & Testing Flashcards Preview

Game Changer > Security Assessment & Testing > Flashcards

Flashcards in Security Assessment & Testing Deck (29):

A design that allows one to peek inside the "box" & focuses specifically on using internal knowledge of the software to guide the selection of test data.

White Box Testing


Intermediate hosts through which websites are accessed.

Web Proxies


Log the patch installation history & vulnerability status of each host, which includes known vulnerabilities & missing software updates.

Vulnerability Management Software


The authentication process by which the biometric system matches a captured biometric against the person's stored template.



The determination of the correctness, with respect to the user needs & requirements, of the final program or software produced from a development project.



Abstract episodes of interaction between a system & its environment.

Use Cases


A process by which developers can understand security threats to a system, determine risks from those threats, & establish appropriate mitigation.

Threat Modeling


Operational actions performed by OS components, such as shutting down the system or starting a service.

System Events


Involves having external agents run scripted transactions against a web application.

Synthetic Performance Monitoring


Analysis of the application source code for finding vulnerabilities without actually executing the application.

Static Source Code Analysis (SAST)


Criteria requires sufficient test cases for each program statement to be executed at least once; however, its achievement is insufficient to provide confidence in a software product's behavior.

Statement Coverage


The process for generating, transmitting, storing, analyzing, & disposing of computer security log data.

Security Log Management


The determination of the impact of a change based on review of the relevant documentation.

Regression Analysis


An approach to web monitoring that aims to capture & analyze every transaction of every user of a website or application.

Real User Monitoring (RUM)


Determines that your application works as expected.

Positive Testing


This criteria requires sufficient test cases for each feasible path, basic path, etc. from start to exist of a defined program segment, to be executed at least once.

Path Coverage


Ensures the application can gracefully handle invalid input or unexpected or unexpected user behavior.

Negative Testing


Criteria requires sufficient test cases to exercise all possible combinations of conditions in a program decision.

Multi-Condition Coverage


A Use Case from the POV of an Actor hostile to the system under design.

Misuse Case


Criteria requires sufficient test cases for all program loops to be executed for zero, one, two & many iterations covering initialization, typical running, & termination (boundary) conditions.

Loop Coverage


Any hardware or software mechanism that has the ability to detect & stop attacks in progress.

Intrusion Prevention System (IPS)


Real-time monitoring of events as they happen in a computer system or network, using audit trail records & network traffic & analyzing events to detect potential intrusion attempts.

Intrusion Detection System (IDS)


Maintaining ongoing awareness of information security, vulnerabilities, & threats to support organizational risk management decisions.

Information Security Continuous Monitoring (ISCM)


Considered to be a minimum level of coverage for most software products but decision coverage alone is insufficient for high-integrity applications.

Decision (Branch) Coverage


Criteria requires sufficient test cases for each feasible data flow to be executed at least once.

Data Flow Coverage


Criteria requires sufficient test cases for each condition in a program decision to take on all possible outcomes at least once. It differs from Branch Coverage only when multiple conditions must be evaluated to reach a decision.

Condition Coverage


Tests an application for the use of system components or configurations that are known to be insecure.

Automated Vulnerability Scanners


A manual review of the product architecture to ensure that is fulfills the necessary requirements.

Architecture Security Review


Contain security event information such as successful & failed authentication attempts, file accesses, security policy changes, account changes, & use of privileges.

Audit Records