Studied by 0 people
Looks like no one added any tags here yet for you.
manual code review
Software code is one of the most common sources of security vulnerabilities. What is one of the most important software testing techniques to uncover these vulnerabilities that uses peer analysis to assess code?
manual code review
What is the software testing technique?
Developers have their work reviewed by other developers, who examine the code to ensure that it doesn't contain obvious or subtle security issues.
Fagan inspection
The most formal code review process follows a six-step process for inspections.
planning
The most formal code review process is known as the Fagan inspection. Fagan inspections follow a six-step process.
During this first step, developers perform the prework required to get the code review underway. This includes preparing the materials required for the review, identifying the participants, and scheduling the review itself.
overview
The most formal code review process is known as the Fagan inspection. Fagan inspections follow a six-step process.
After the planning phase, the review moves on to this phase, where the leader of the review assigns roles to different participants and provides the team with an overview of the software that's being reviewed.
preparation
The most formal code review process is known as the Fagan inspection. Fagan inspections follow a six-step process.
During this phase, the participants review the code and any supporting materials on their own to get ready for the review session. They look for any potential issues and make notes that they can refer back to later.
formal inspection meeting
The most formal code review process is known as the Fagan inspection. Fagan inspections follow a six-step process.
Once everyone is prepared, this phase takes place. During this this phase, developers raise any issues that they discovered during the preparation phase and discuss them with the team. This is where the team formally identifies any defects in the software that require correction.
rework
The most formal code review process is known as the Fagan inspection. Fagan inspections follow a six-step process.
After the meeting phase, the developers who created the code correct any defects identified during the review in the rework phase. If there were no defects, the developers can then move on to the next phase. If the defects were significant, the process returns to the planning phase for another review.
follow-up
The most formal code review process is known as the Fagan inspection. Fagan inspections follow a six-step process.
Once the code no longer requires rework, the Fagan inspection concludes with this phase. During this phase, the leader of the review confirms that all defects were successfully corrected and completes the documentation of the review.
True
True or False?
The Fagan inspection model is a highly formalized process for code review. And due to its burdensome nature, it's not often followed.
software model validation and software verification
What are two main activities that occur during software testing?
Software model validation
What activity during software testing ensures that the software produced by a development effort is meeting the original business requirements? It answers the question, are we building the right software?
Software verification
What activity during software testing occurs throughout the development process, and it consists of tests that verify that the software functions properly? It answers the question, are we building the software right?
stress testing or load testing
To ensure that a developer’s code will work under real-world production loads, what process is completed? These tests should verify that the system is able to handle the maximum expected load that it will experience.
User acceptance testing, or UAT
What is usually the final phase in software testing? Once developers are confident that the software is correct and ready to move to production, they turn it over to end users for their evaluation under real-world circumstances. It’s goal is to focus on usability and ensure that software will be intuitive for end users.
beta testing
Many organizations refer to user acceptance testing using what term?
regression testing
After releasing code, developers often make minor and major changes to the code to fix bugs discovered after launch and to add new functionality to the system. Before releasing these modifications, they conduct what kind of testing to verify that the changes don't have unintended side effects?
Application security flaws
Code security tests test software for what?
technology
Code security test use what to assist in the code inspection process?
Static application security testing
dynamic application security testing
interactive application security testing.
What are three main types of code testing?
Static application security testing/static code review
There are three types of code testing. What type of testing uses automated techniques to analyze code for errors and security flaws without actually executing code?
Software composition analysis, SCA
What is a special type of static code review that's designed to identify any open source software components used in a software package? It allows you to identify any dependencies you may have, and it's particularly useful when a new vulnerability is discovered in an open source package and you need to find all the cases where that package is used in your organization.
dynamic code test
There are three types of code testing. With what test does the testing software actually execute the code, supplies input to the code, and reads the output to verify that the code is functioning properly? This type of test is closer to real world operations and it's a valuable step in preparing to move code to production, providing developers and management with confidence that the code functions properly.
Synthetic transactions
What type of transactions are an important part of dynamic code testing? These are scripted sets of inputs and instructions to be given to code where the testers know what output the code should produce for each input. Testing software can then automatically cycle through these synthetic transactions to verify that code is functioning properly across a wide variety of tests.
Interactive application security testing
There are three types of code testing. This type of testing uses dynamic testing techniques but allows the tester to work interactively with the target system. Instead of simply firing off a bunch of test scripts, the application security tester sits down and probes the software with the assistance of testing tools and guides the work of those tools. It is the most time consuming type of software testing but it can produce results that aren't available with any other type of test.
White-Box Test
There are two other ways that we can categorize software testing techniques that depend upon whether the testers can see the source code. In what test does the application testers have full access to the code as they conduct their testing?
Black-Box Test
There are two other ways that we can categorize software testing techniques that depend upon whether the testers can see the source code. In what test does the application testers not have access to the code and they approach their work in the same way that an attacker or penetration tester would, by discovering how the application works and probing it?
Misuse case testing
What type of testing tries to evaluate software from the perspective of this attacker and is closely related to penetration testing, but it's performed at different stages of the software development process? In this testing, developers attempt many of the same software abuses that attackers will try once the software is deployed in production.
brainstorming
The most critical step in misuse case testing is defining the test cases. Testers need to think like attackers and figure out all of the ways that somebody might try to undermine the security of a system. Misuse case development is often performed by putting teams of developers together for _____. Asking them the simple question, how could someone break into the system? And then documenting the results.
True
True or False?
Misuse case development should be done by a combination of developers who worked on the software and those who are not involved in the process.
unexpected input, either input that's too long, contains unusual characters or is in an unexpected format
missing inputs, such as leaving a password field blank
injection attacks that embed code in user-supplied input
attempting to debit a balance below zero or transfer funds that are not available.
The types of misuse cases evaluated will vary depending upon the type of the system. What are some misuse case examples?
Fuzzing
What type of software test technique provides many different types of valid and invalid input to software in an attempt to make that software enter an unpredictable state or disclose confidential information? It works by automatically generating input values and feeding them to the software package.
permission
Only fuzz test with _____.
secure storage and version control
What do code repositories provide?
To store the source files used in software development in a centralized location that allows for secure storage, and the coordination of changes among multiple developers
What is the main purpose of a code repository?
version control
Code repositories also perform _____ allowing the tracking of changes and the rollback of code to earlier versions when required.
security and auditing
Code repositories also meet the needs of _____ professionals who want to ensure that software development includes automated auditing and logging of changes.
reuse
By exposing code to all developers in an organization, code repositories also promote code _____ . Developers seeking code to perform a particular function can search the repository for existing code, and then _____ that code instead of starting from scratch.
dead code
Code repositories also help avoid the problem of _____ , where code is in use in an organization, but nobody is responsible for the maintenance of that code.
provisioning and deprovisioning
Code repositories are an important part of applications security, but there are only one aspect of code management. Secure _____ and _____ of applications ensures the integrity of released code.
code integrity measurement
The release management process should include what measurement that uses cryptographic hash functions to verify that the code being released into production matches the code that was previously approved?
application control
One of the best ways to protect against malicious software is to prevent users from running unwanted applications with what technology?
Application control
What restricts the software that runs on a system to programs that meet the organization security policy?
whitelisting and blacklisting
What are the two main approaches to application control?
host software baselining
What tool assists with updates and helps you provide a standardized list of the software that you expect to see on systems in your environment and then report deviations from that baseline? You'll be able to identify unwanted software running in your environment and investigate it.
Tracking and managing changes made to code
One popular benefit of using a code repository is performing version control. What does this mean?
Testing for unexpected issues after launch.
How is regression testing best described?
