1. Which of the following are true about risk-based security testing? a. Softwar

Question

1.      Which of the following are true about risk-based security testing?

a.

  Software security tester can properly focus on area of code where an attack is likely to succeed

b.

It is the same as penetration testing

c.

Tests are driven by identified risks in the system

d.

It is black-box probing at the presentation layer

e.

It is grounded in both the system’s architectural reality and the attacker’s mindset

QUESTION 2

1.      Which of the following are true?

a.

Penetration testing is focused inside-> out

b.

Penetration testing happens when software is complete and installed in its operational environment.

c.

Both security testing and penetration testing work best when they take risk analysis results, abuse cases, and functional security requirements into account

d.

Security testing can be applied before the software is complete, at the unit level, in a testing environment with stubs and pre-integration.

  

QUESTION 3

1.      Which of the following are true about component level security testing?

a.

Tests should attempt both unauthorized misuse of and access to the component’s assets

b.

Component level testing should be conducted after system integration testing.

c.

Component level security testing breaks system security down into a number of discrete parts

d.

Tests should attempt violations of the assumptions relative to the components

QUESTION 4

1.      Which of the following are true about system-level testing?

a.

System-level testing should focus on identifying intra-component failures and assessing security risk inherent at the design level

b.

System-level tests should try to undermine the assumptions of the system

c.

Data flow diagrams, inter-component documentation, etc. are very useful for system-level testing

d.

Abuse cases could be used to enhance a test plan with adversarial tests

QUESTION 5

1.      Which of the following are design-level flaws?

a.

buffer overflow

b.

unprotected data channels

c.

incorrect or missing access control

d.

error handling in object-oriented systems

e.

SQL injection

QUESTION 6

1.      Match the following terms with their definitions

      -       a.       b.   

Functional security testing:

      -       a.       b.   

Adversarial security testing:

a.

performing risk-based security testing motivated by understanding and simulating the attacker's approach

b.

testing security mechanisms to ensure that their functionality is properly implemented

QUESTION 7

1.      Software security is all about security features or mechanisms, such as cryptography, strong authentication and access control.

True

False

QUESTION 8

1.      Which of the following are true regarding who should conduct security testing?

a.

Standard testing organizations using a traditional approach should perform adversarial security testing

b.

Those that have expertise and experience in security should perform adversarial security testing

c.

Standard testing organizations using a traditional approach should perform functional security testing

d.

Those that have expertise and experience in security should perform functional security testing

  

QUESTION 9

1.      Which of the following are true about how to conduct security testing?

a.

White box testing using static analysis methods on source code is a good technique for analyzing certain kinds of software

b.

Design flaws can be found through risk analysis

c.

In black box testing, malicious input can be supplied to the program in an effort to break it

d.

Using black box testing, a program can be tested remotely over the network without access to binary code

1.      Based on the case study in page 195-197, which of the following are examples of risk-based tests?

a.

testing of class codes

b.

testing of nested transactions

c.

testing of the case when transaction buffers were filled  

d.

testing of available commands

e.

testing of aborted transactions

f.

testing of crypto functionality

QUESTION 11

1.      Which of the following are the results of security testing in the case study from 195-197?

a.

Every card that was tested with the automated test framework had some manner of failure

b.

Most of the cards that were tested with the automated test framework pass all functional security tests

c.

Every card that was tested with the hostile applet suite had some manner of failure

d.

Most of the cards that were tested with the hostile applet suite pass the tests

QUESTION 12

1.      Which of the following are true about XP and security testing?

a.

XP approach is a “test first” approach” that may cause difficulty in adopting a risk base testing approach.

b.

XP encourages coding to the tests, which may work for standard software features. However, security is not a feature.

c.

To conduct security testing in XP, it is suggested that more attention is focused on abuse cases

d.

It is suggested that some “attacker stories” should be devised and used to create security tests.

QUESTION 13

1.      Which of the following need to be considered by security testing?

a.

data structures,

b.

components

c.

APIs,

d.

program state

e.

input

QUESTION 14

1.      Which of the following should be considered by the testers?

a.

sockets

b.

pipes

c.

the Win32 Registry

d.

files

e.

remote procedure calls (RPCs),

f.

command-line arguments

a.

  Software security tester can properly focus on area of code where an attack is likely to succeed

b.

It is the same as penetration testing

c.

Tests are driven by identified risks in the system

d.

It is black-box probing at the presentation layer

e.

It is grounded in both the system’s architectural reality and the attacker’s mindset

Explanation / Answer

Answer)

QUESTION 1
Which of the following are true about risk-based security testing?

Answer)
a. Software security tester can properly focus on area of code where an attack is likely to succeed - Software tester will focus on the code and area on where the attack can be successful and also overall to improve the risk-based security of they system.
d. It is black-box probing at the presentation layer - The black box testing to improve the security of the system and to find out defects.
e. It is grounded in both the system’s architectural reality and the attacker’s mindset - The system's architectural setup and the attacker’s mindset has to be kept in mind on executing the risk-based security testing as that plays a major role.

QUESTION 2
Which of the following are true?  

Answer)
b. Penetration testing happens when software is complete and installed in its operational environment. - Penetration testing generally happens when the system is ready to be on production and installed in the operational environment. That is when the vulnerabilities can be attacked and the security of the system known.
c. Both security testing and penetration testing work best when they take risk analysis results, abuse cases, and functional security requirements into account - When we take into consideration the risk analysis results, abuse cases, and functional security requirements, then only we can perform correct penetration testing on the system.

Related Questions

Navigate

• Browse (All)
• Browse 1
• Subjects

---

---

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.