Skip to content

Page276

Summary of Exam Objectives

In this domain we have learned about various methods to test real-world security of an organization, including vulnerability scanning, penetration testing, security assessments, and audits. Vulnerability scanning determines one half of the “Risk = Threat × Vulnerability” equation. Penetration tests seek to match those vulnerabilities with threats, to demonstrate real-world risk. Assessments provide a broader view of the security picture, and audits demonstrate compliance with a published specification, such as PCI-DSS. We discussed Synthetic transactions, which attempt to emulate real-world uses of an application using scripts or tools that simulate activities normally performed in an application. We also discussed testing code security, including static methods such as source code analysis, walkthroughs, syntax checking, and use of secure compilers. We discussed dynamic methods used on running code, including fuzzing and various forms of black box testing.

Self-Test

Note

Please see the Self-Test Appendix for explanations of all correct and incorrect answers.

  1. What process involves building scripts or tools that simulate activities normally performed in an application?
    A. Test coverage analysis
    B. Misuse case testing
    C. Synthetic transactions
    D. Penetration test

  2. What security metric is used to measure availability?
    A. Key Uptime Indicator
    B. Key Risk Indicator
    C. Key Performance Indicator
    D. Key Response Indicator

  3. What process is designed to automate penetration tests, and is often run 24/7/365?
    A. Misuse case testing
    B. Synthetic transactions
    C. Breach attack simulation
    D. Test coverage analysis

  4. What type of penetration test begins with no external or trusted information and begins the attack with public information only?
    A. Full knowledge
    B. Partial knowledge
    C. Grey box
    D. Zero knowledge

  5. What type of assessment would best demonstrate an organization’s compliance with PCI-DSS (Payment Card Industry Data Security Standard)?
    A. Audit
    B. Penetration test
    C. Security assessment
    D. Vulnerability assessment

  6. What type of test provides internal information to the penetration tester, including network diagrams, policies and procedures, and sometimes reports from previous penetration testers?
    A. Full knowledge
    B. Partial knowledge
    C. Grey box
    D. Zero knowledge

  7. What can be used to ensure software meets the customer’s operational requirements?
    A. Integration testing
    B. Installation testing
    C. Acceptance testing
    D. Unit testing

  8. What term describes a no-tech or low-tech method that uses the human mind to bypass security controls?
    A. Fuzzing
    B. Social engineering
    C. War dialing
    D. Zero-knowledge test

  9. What term describes a black box testing method that seeks to identify and test all unique combinations of software inputs?
    A. Combinatorial software testing
    B. Dynamic Application Security Testing
    C. Misuse case testing
    D. Static Application Security Testing

  10. What term describes a holistic approach for determining the effectiveness of access control, and has a broad scope?
    A. Security assessment
    B. Security audit
    C. Penetration test
    D. Vulnerability assessment