Domain 05: Secure Software Testing
The use of IF-THEN rules is characteristic of which of the following types of software testing? A. Logic B. Scalability C. Integration D. Unit
Answer Is: A IF-THEN rules are constructs of logic and when these constructs are used for software testing, it is generally referred to as logic testing.
Penetration testing must be conducted with properly defined A. rules of engagement. B. role based access control mechanisms. C. threat models. D. use cases.
Answer Is: A Penetration testing must be controlled and not ad hoc in nature with properly defined rules of engagement.
The implementation of secure features such as complete mediation and data replication needs to undergo which of the following types of test to ensure that the software meets the service level agreements (SLA)? A. Stress B. Unit C. Integration D. Regression
Answer Is: A Tests that assure that the service level requirements are met is characteristic of performance testing. Load and stress testing are types of performance tests. While stress testing is testing by starving the software, load testing is done by subjecting the software to extreme volumes or load.
Which of the following tools or techniques can be used to facilitate the white box testing of software for insider threats? A. Source code analyzers B. Fuzzers C. Banner grabbing software D. Scanners
Answer Is: A White box testing or structural analysis is about testing the software with prior knowledge of the code and configuration. Source code review is a type of white box testing. Embedded code issues such as Trojan horses, logic bomb etc. that are implanted by insiders can be detected using source code analyzers.
Vulnerability scans are used to A. measure the resiliency of the software by attempting to exploit weaknesses. B. detect the presence of loopholes and weaknesses in the software. C. detect the effectiveness of security controls that are implemented in the software. D. measure the skills and technical know-how of the security tester.
Answer Is: B A vulnerability is a weakness (or loophole) and vulnerability scans are used to detect the presence of weaknesses in software.
An attacker analyzes the response from the web server which indicates that its version is the Microsoft Internet Information Server 6.0 (Microsoft-IIS/6.0), but none of the IIS exploits that the attacker attempts to execute on the web server are successful. Which of the following is the MOST probable security control that is implemented? A. Hashing B. Cloaking C. Masking D. Watermarking
Answer Is: B Detection of web server versions is usually done by analyzing HTTP responses. This process is known as banner grabbing. But administrator can change the information that gets reported and this process is known as cloaking. Banner cloaking is a security through obscurity approach to protect against version enumeration.
Disassemblers, debuggers and decompilers can be used by security testers to PRIMARILY determine which of the following types of coding vulnerabilities? A. Injection flaws. B. Lack of reverse engineering protection. C. Cross-Site Scripting. D. Broken session management.
Answer Is: B Disassemblers, debuggers and decompilers are utilities that can be used for reverse engineering software and software tester should have these utilities in their list of tools to validate protection against reversing.
When very limited or no knowledge of the software is made known to the software tester before she can test for its resiliency, it is characteristic of which of the following types of security tests? A. White box B. Black box C. Clear box D. Glass box
Answer Is: B In black box or behavioral testing, test conditions are developed on the basis of the program's or system's functionality; that is, the tester requires information about the input data and observed output, but does not know how the program or system works. The tester focuses on testing the program's behavior (or functionality) against the specification. With black box testing, the tester views the program as a black box and is completely unconcerned with the internal structure of the program or system. In white box or structural testing, the tester knows the internal program structure such as paths, statement coverage, branching, and logic. White box testing is also referred to as clear box or glass box testing. Gray box testing is a software testing technique that uses a combination of black box and white box testing.
Timing and synchronization issues such as race conditions and resource deadlocks can be MOST LIKELY identified by which of the following tests? Choose the BEST answer. A. Integration B. Stress C. Unit D. Regression
Answer Is: B Race conditions and resource exhaustion issues are more likely to be identified when the software is starved of the resources that it expects as is done during stress testing.
In the context of test data management, when a transaction which serves no business purpose is tested, it is referred to as what kind of transaction? A. Non-synthetic B. Synthetic C. Useless D. Discontinuous
Answer Is: B Synthetic transactions refer to transactions that serve no business value. Querying order information of a 'dummy' customer is an example of a synthetic transaction. They are not necessarily useless.
As part of the test data management strategy, when a criteria is applied to export selective information from a production system to the test environment, it is also referred to as A. Subletting B. Filtering C. Validation D. Subsetting
Answer Is: B The defining of subset criteria to export only certain kinds of information from the production environment to the test environment is also known as subsetting
Tests that are conducted to determine the breaking point of the software after which the software will no longer be functional is characteristic of which of the following types of software testing? A. Regression B. Stress C. Integration D. Simulation
Answer Is: B The goal of stress testing is to determine if the software will continue to operate reliably under duress or extreme conditions. Often the resources that the software needs is taken away from the software and the software's behavior observed as part of the stress test.
14. Smart fuzzing is characterized by injecting A. truly random data without any consideration for the data structure. B. variations of data structures that are known. C. data that get interpreted as commands by a backend interpreter. D. scripts that are reflected and executed on the client browser.
Answer Is: B The process of sending random data to test security of an application is referred to as "fuzzing" or "fuzz testing." There are two levels of fuzzing: dumb fuzzing and smart fuzzing. Sending truly random data, known as dumb fuzzing, often doesn't yield great results and has the potential of bringing the software down, causing a Denial of Service (DoS). If the code being fuzzed requires data to be in a certain format but the fuzzer does not create data in that format, most of the fuzzed data will be rejected by the application. The more knowledge the fuzzer has of the data format, the more intelligent it can be at creating data. These more intelligent fuzzers are known as smart fuzzers.
In which of the following software development methodologies does unit testing enable collective code ownership and is critical to assure software assurance? A. Waterfall B. Agile C. Spiral D. Prototyping
Answer Is: B Unit testing enables collective code ownership. Collective code ownership encourages everyone to contribute new ideas to all segments of the project. Any developer can change any line of code to add functionality, fix bugs, or re-factor. No one person becomes a bottleneck for changes. The way this works is for each developer that work in concert (usually more in agile methodologies than the traditional model) create unit tests for his/her code as it is developed. All code that is released into the source code repository includes unit tests. Code that is added, bugs as they are fixed, and old functionality as it is changed will be covered by automated testing.
Which of the following is the MOST important to ensure, as part of security testing, when the software is forced to fail x? Choose the BEST answer. A. Normal operational functionality is not restored automatically. B. Access to all functionality is denied. C. Confidentiality, integrity and availability are not adversely impacted. D. End users are adequately trained and self help is made available for the end user to fix the error on their own.
Answer Is: C As part of security testing, the principle of failsafe must be assured. This means that confidentiality, integrity and availability are not adversely impacted when the software fails. As part of general software testing, the recoverability of the software i.e., restoration of the software to normal operational functionality is an important consideration, but it need not always be an automated process.
Assurance that the software meets the expectations of the business as defined in the service level agreements (SLAs) can be demonstrated by which of the following types of tests? A. Unit B. Integration C. Performance D. Regression
Answer Is: C Assurance that the software meets the expectations of the business as defined in the service level agreements (SLAs) can be demonstrated by performance testing. Once the importance of the performance of an application is known, it is necessary to understand how various factors affect the performance. Security features can have an impact on performance and this must be checked to ensure that service level requirements can be met.
Drivers and stub based programming are useful to conduct which of the following tests? A. Integration B. Regression C. Unit D. Penetration
Answer Is: C In order for unit testing to be thorough, the unit/module and the environment for the execution of the module need to be complete. The necessary environment includes the modules that either call or are called by the unit of code being tested. Stubs and drivers are designed to provide the complete environment for a module so that unit testing can be carried out. A stub procedure is a dummy procedure that has the same input/output (I/O) parameters as the given procedure. A driver module should have the code to call the different functions of the module under test with appropriate parameter values for testing. In layman's terms, the driver module is akin to the caller and the stub module can be seen as the callee.
When reporting a software security defect in the software, which of the following also needs to be reported so that variance from intended behavior of the software can be determined? A. Defect identifier B. Title C. Expected results D. Tester name
Answer Is: C Knowledge of the expected results along with the defect information can be used to determine the variance between what the results need to be and what is deficient.
The ability of the software to withstand attempts of attackers who intend to breach the security protection that is built in is also known as A. redundancy. B. recoverability. C. resiliency. D. reliability.
Answer Is: C Resiliency of software is defined as the ability of the software to withstand attacker attempts.
The PRIMARY objective of resiliency testing of software is to determine A. the point at which the software will break. B. if the software can restore itself to normal business operations. C. the presence and effectiveness of risk mitigation controls. D. how a blackhat would circumvent access control mechanisms.
Answer Is: C Security testing must include both external (blackhat) and insider threat analysis and it should be more than just testing for the ability to circumvent access control mechanisms. The resiliency of software is the ability of the software to be able to withstand attacks. The presence and effective of risk mitigate controls increases the resiliency of the software.
Testing for the randomness of session identifiers and the presence of auditing capabilities provides the software team insight into which of the following security controls? A. Availability. B. Authentication. C. Non-repudiation. D. Authorization.
Answer Is: C When session management is in place, it provides for authentication and when authentication is combined with auditing capabilities, it provides nonrepudiation i.e., the authenticated user cannot claim broken sessions and intercepted authentication and deny their user actions due to the audit logs recording their actions.
Which of the secure design principles is promoted when test harnesses are used? A. Least privilege B. Separation of Duties C. Leveraging existing components D. Psychological acceptability
Answer Is: D Test harnesses promote the principle of leveraging existing components as it can be reused by multiple projects, once it is set up.
The ability of the software to restore itself to expected functionality when the security protection that is built in is breached is also known as A. redundancy B. Recoverability C. Resiliency D. Reliability
Answer is B When the software performs as it is expected to, it is said to be reliable. When errors occur, the reliability of software is impacted and the software needs to be able to restore itself to expected operations. The ability of the software to be restored to normal expected operations is referred to as recoverability. The ability of the software to withstand attacks against its reliability is referred to as resiliency. Redundancy is about availability and reconnaissance is related to information gathering as in fingerprinting/footprinting.
