Official (ISC)² CISSP - Domain 6: Security Assessment and Testing
Terms in this set (30)
2011 CWE/SANS Top 25 Most Dangerous Software Errors
A list of the most widespread and critical errors that can lead to serious vulnerabilities in software.
Contain security event information such as successful and failed authentication attempts, file accesses, security policy changes, account changes, and use of privileges.
Architecture Security Reviews
A manual review of the product architecture to ensure that it fulfills the necessary security requirements.
Automated Vulnerability Scanners
Tests an application for the use of system components or configurations that are known to be insecure.
This criteria requires sufficient test cases for each condition in a program decision to take on all possible outcomes at least once. It differs from branch coverage only when multiple conditions must be evaluated to reach a decision.
Data Flow Coverage
This criteria requires sufficient test cases for each feasible data flow to be executed at least once.
Decision (Branch) Coverage
Considered to be a minimum level of coverage for most software products, but decision coverage alone is insufficient for high-integrity applications.
Information Security Continuous Monitoring (ISCM)
Maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.
Intrusion Detection Systems (IDS)
Real-time monitoring of events as they happen in a computer system or network, using audit trail records and network traffic and analyzing events to detect potential intrusion attempts.
Intrusion Prevention Systems (IPS)
Any hardware or software mechanism that has the ability to detect and stop attacks in progress.
This criteria requires sufficient test cases for all program loops to be executed for zero, one, two, and many iterations covering initialization, typical running, and termination (boundary) conditions.
A Use Case from the point of view of an Actor hostile to the system under design.
This criteria requires sufficient test cases to exercise all possible combinations of conditions in a program decision.
Ensures the application can gracefully handle invalid input or unexpected user behavior.
This criteria requires sufficient test cases for each feasible path, basis path, etc., from start to exit of a defined program segment, to be executed at least once.
Determines that your application works as expected.
Real User Monitoring (RUM)
An approach to web monitoring that aims to capture and analyze every transaction of every user of a website or application.
The determination of the impact of a change based on review of the relevant documentation.
Security Log Management
The process for generating, transmitting, storing, analyzing, and disposing of computer security log data.
This criteria requires sufficient test cases for each program statement to be executed at least once; however, its achievement is insufficient to provide confidence in a software product's behavior.
Static Source Code Analysis (SAST)
Analysis of the application source code for finding vulnerabilities without actually executing the application.
Synthetic Performance Monitoring
Involves having external agents run scripted transactions against a web application.
Operational actions performed by OS components, such as shutting down the system or starting a service.
A process by which developers can understand security threats to a system, determine risks from those threats, and establish appropriate mitigations.
Abstract episodes of interaction between a system and its environment.
The determination of the correctness, with respect to the user needs and requirements, of the final program or software produced from a development project.
The authentication process by which the biometric system matches a captured biometric against the person's stored template.
Vulnerability Management Software
Log the patch installation history and vulnerability status of each host, which includes known vulnerabilities and missing software updates.
Intermediate hosts through which websites are accessed.
A design that allows one to peek inside the "box" and focuses specifically on using internal knowledge of the software to guide the selection of test data.