Week 7 - Security Testing

0.0(0)
studied byStudied by 0 people
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
Card Sorting

1/17

encourage image

There's no tags or description

Looks like no tags are added yet.

Study Analytics
Name
Mastery
Learn
Test
Matching
Spaced

No study sessions yet.

18 Terms

1
New cards

What is the goal of software testing?

verifying that software meets its functional and non-functional requirements

2
New cards

What is security testing?

Evaluating software against security requirements to identify vulnerabilities and verify security mechanisms.

3
New cards

Define Connectivity

e.g., cloud computing, location-based services

4
New cards

What is a vulnerability (ISO 27001)?

A weakness in assets that can be exploited by threats.

5
New cards

What are the two main types of security testing?

1.      Static Testing – review without execution

a.      Examples: code reviews, design reviews, static code analysis tools

2.      Dynamic Testing – Execution-based validation

a.      Run the software and compare actual vs expected outputs

6
New cards

What are the two main types of security testing purposes?

  1. Security functional testing – validating security features work as intended.

  2. Security vulnerability testing – identifying unintended system vulnerabilities.

7
New cards

Describe a test case execution

8
New cards

How would you describe testing dimensions diagram?

9
New cards

What is Model-Based Testing (MBT)?

A method where test cases are automatically generated from models representing expected system behaviour.

10
New cards

Why is security testing hard?

  • Traditional “librarian” approach = rerun known exploits (test cases from a database)

  • Problems:

    Doesn’t find new vulnerabilities

    Only catches known patterns

  • However, this works because developers repeat mistakes

11
New cards

What are the three key tasks in MBT?

  1. Design a functional test model

  2. Determine test generation criteria

  3. Generate the tests

12
New cards

What is Model-Based Security Testing (MBST)?

MBT that incorporates attacker models, vulnerability models, and properties models (e.g., CIA goals).

13
New cards

What’s the difference between Exploitation and Attack?

  • Exploitation: Using malicious input to exploit a vulnerability.

  • Attack: Executing an exploitation to violate a security property.

  • Security Testers play the role of a hacker to exploit system’s vulnerabilities.

14
New cards

State the 4 security testing techniques in SDLC

<p></p>
15
New cards

what is an attack tree?

-          A tree where:

o   Nodes = attack goals or actions

o   Edges = dependencies (AND, OR, SAND)

16
New cards

What is an Abstract Test Case (ATC)?

-          A sequence of attack actions

-          ATC succeeds if all steps succeed —> vulnerability confirmed

-          ATC fails if attack is blocked —> protection works

17
New cards

Benefits of MBT:

-          Early and explicit review of system behaviours

-          Better documentation of test cases

-          The ability to automatically generate useful tests and measure and optimize test coverage

18
New cards

what input models can we use for MBST?

-          Attacker models – capabilities and attack goals

-          Vulnerability models – known weaknesses encoded

-          Security property models – what must not be violated

Explore top notes

Explore top flashcards