Please enable JavaScript.
Coggle requires JavaScript to display documents.
Domain 6 - Security Assessment and Testing
Domain 6 -
Security Assessment and Testing
Software Testing Methods
Static Testing
code tested passively
review of the raw code
VF Approach!
Dynamic Testing
code tested while executed
Traceability Matrix
= RTM (Requirements Traceability Matrix)
mapping customer's requirement with software testing plan
Synthetic Transactions
simulate activities normally performed in application with scripts/tools
Software Testing Levels
Unit Testing = functions, procedures, objects
Installation Testing = software
Integration Testing = multiple software components
Regression Testing = software after updates, modifications, patches
Acceptance Testing = user acceptance testing
Fuzzing
black box testing
Goal: determine if application will crash
submits random/malformed data
= dynamic testing
Combinatorial Testing
black-box testing
Goal: Identify and test all unique combinations of software inputs
example pairwise testing
Misuse Case Testing
use cases in UML (unified modeling language)
threat modeling
Test Coverage Analysis
identify degree to which code testing applies to the entire application
Interface Testing
Manual Code Review
check code manually
Assessing Access Control
Penetration Testing
White hat hacking
Possible Content
War dialing
(uses modem to dial a series of phone numbers looking for an answering modem carrier tone)
Network (Internet)
Network (internal or DMZ)
client-side, server-side, web application attacks
Wireless
Physical
Social Engineering
Types
black box
(zero-knowledge)
crystal-box
(full-knowledge)
partial-knowledge
Vulnerability Testing
scans system for a list of predefined vulnerabilities
Risk = Vulnerability x Thread (!)
Security Audits
test against a published standard
Security Assessment
Holistic approach with many controls
Internal and Third Party Audits
Log Reviews
detective control
Syslog
Log retention