CSSLP Chapter 5 - Secure Software Testing

0.0(0)
Studied by 0 people
call kaiCall Kai
Locked
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
GameKnowt Play
Card Sorting

1/27

flashcard set

Earn XP

Description and Tags

CSSLP Chapter 5 - Secure Software Testing

Last updated 9:15 AM on 7/6/26
Name
Mastery
Learn
Test
Matching
Spaced
Call with Kai
Chat

No analytics yet

Send a link to your students to track their progress

28 Terms

1
New cards
List software security testing standards.
ISO 9126, Open Source Security Testing Methodology Manual (OSSTMM), System Security Engineering Capability Maturity Model (SSE-CMM)
2
New cards
What are the different kinds of reliability testing?
Unit, Integration, Logic, Regression
3
New cards
What are the different kinds of recoverability testing?
Performance (Load, Stress), Scalability
4
New cards
What are the different types of resiliency testing, and what's another name for it?
White box, Black box. Also called security testing.
5
New cards
What other kinds of software QA testing are there besides reliability, recoverability, and resiliency?
Environment, Privacy, User acceptance
6
New cards
What is reliability testing?
Functional testing. Does the software function as it is supposed to according to the requirements of the business owner.
7
New cards
Who conducts unit testing?
Typically developers.
8
New cards
What does unit testing do?
Tests each part in isolation for build and compilation errors as well as functional logic.
9
New cards
What are drivers and stubs in the software testing context?
Drivers are testing code that simulates a function's caller. Stubs are testing code that simulates a called unit. Both can be used to mock objects to remove testing dependencies.
10
New cards
What are the benefits of unit testing?
Validate functional logic. Find out inefficiencies, complexities, and vulnerabilities in code, as the code is tested after being isolated into units, as opposed to being integrated and tested as a whole. Automate testing processes by integrating easily with automated build scripts and tools. Extend test coverage. Enable collective code ownership in agile development.
11
New cards
What is integration testing?
Aggregating multiple units of code together for testing.
12
New cards
What is logic testing?
Testing that validates the accuracy of the software processing logic.
13
New cards
When is logic testing most important?
When software has high cyclomatic complexity.
14
New cards
What kind of testing tests predicates, and what are they?
Logic testing. A predicate is something that is affirmed or denied of the subject in a proposition in logic.
15
New cards
What is regression testing? What is its other name?
Regression testing is testing that is performed to ensure that changes to software don't reintroduce old defects. Also called verification testing.
16
New cards
What is the recommended method to perform regression testing?
Create a library of tests that includes a predefined set of tests to be conducted before the release of any new version. These should always test boundary conditions and timing.
17
New cards
Who usually performs regression testing?
QA teams.
18
New cards
What is recoverability testing?
Performance or scalability testing to ensure that software will be available when required.
19
New cards
What is the difference between load and stress testing?
Load testing determines software's maximum capacity. Stress testing exceeds it, in part to determine if the software recovers gracefully.
20
New cards
What is fuzzing?
A kind of software testing where random or pseudorandom input is injected and the behavior of the software under test observed.
21
New cards
What does fuzzing test?
The effectiveness of input validation.
22
New cards
What is synthesized fuzzing data?
Data that is generated from scratch without being based on previous input.
23
New cards
What is mutated fuzzing data?
Data created from valid data, but corrupted so it's not what the application expects.
24
New cards
What is the difference between dumb and smart fuzzing?
Dumb fuzzing uses truly random data without any consideration for data structure. Smart fuzzing uses data structure (encoding, checksums, etc).
25
New cards
What is the difference between dumb and smart fuzzing?
Dumb fuzzing uses truly random data without any consideration for data structure. Smart fuzzing uses data structure (encoding, checksums, etc).
26
New cards
What is the difference between static and dynamic software scanning?
Static scanning scans the source code for vulnerabilities. Dynamic scanning scans the software at runtime.
27
New cards
What kinds of scans does PCI-DSS require?
Network, host, and applications in the card holder data environment.
28
New cards
What is scanning used for?
Map the computing ecosystems, infrastructural, and application interfaces. Identify server versions, open ports, and running services. Inventory and validate asset management databases. Identify patch levels. Prove due diligence and due care for compliance reasons.