Pass your certification exam. Faster. Guaranteed.

Software Testing Transcription

Welcome to our Software Security Testing Module. Security testing is an important part of the entire software development lifecycle. During the planning and design phase, you will have to perform architecture security reviews as well as threat modeling. During the development phase, you will perform static source code analysis and static binary code analysis, as well as the manual review of both your source code and binary code.

You'll also have to test your completed products including penetration testing. There are two types of penetration testing, both manual or automated as well as vulnerability scanning, fuzz testing, threat modeling, and misuse testing. During the operation and maintenance phase, you will continue to test the product performing additional penetration testing, fuzz testing, and vulnerability scanning.

Performing passive testing by monitoring the software and using intrusion detection systems as well as testing any patches that are developed. There are several different types of software code review and testing. Black box testing is where an individual is testing the software but has no access to the internal code.

So they basically evaluate the input and output of the software. With white-box testing, the tester has full access to the internal details of the software, such as the source code, and they're able to consider that code when determining how to try attacking the software. With dynamic testing, the system is executed and an individual observes the behavior of the system.

Static testing is where the source code is examined without actually executing the program. Manual testing is guided by humans and automated testing is performed by applications. There are several different types of software tests that can be performed. It is important that you have a separation of duties and do not allow the testing to be conducted by the individual who designed the software.

And that is important to remember for the CISSP examination. Unit testing is where you test individual modules or packages of the software. You're basically testing these individual components in a controlled environment where you can validate the data structure, logic, and boundary conditions. Integration testing is performed on a completed system, where a quality assurance team tests to verify that the components are working together as you have outlined in your design specifications.

If the software is not functioning correctly, it will be sent back to the developer for additional unit testing. Regression testing is where a specialist evaluates the system after changes are made. The purpose of this testing is to retest a system to ensure that it functions properly, performs correctly and that it is protected from any outside threats after you make a change to that system. Software penetration testing is where an individual attempts to break the software. You can have independent parties who will perform white box, black box or gray box testing. With white box testing they have full knowledge of the program and most likely have access to its internal source code. With gray box testing they have access to a small amount of the details about the product.

And with black box testing they have no details whatsoever, and they are attacking the product like an outside attacker may. You may need to have the code protected from reverse engineering to protect from outsiders reverse engineering the code in order to determine how they can attack your system.

The final type of testing is acceptance testing which is performed after the software is completed to determine if it meets all of the requirements. You will need to have the end user make sure that the product you've developed meets all of their written requirements. There are several considerations to keep in mind when you're performing acceptance testing.

You will need to consider the attack surface and select appropriate tools or methods for testing for different types of vulnerabilities. You'll also have to consider the application type because different methods and tools will behave differently. You'll have to consider the usability and the quality of the tools that you'll be using for the testing.

Does your tool have a high false positive rate that's going to indicate there are problems that might not actually be problems? Does your tool offer recommendations for fixing issues and so on. You'll also have to consider supported technologies because since there are so many different programming languages, your tool may not work with certain languages.

So you need to make sure that the technologies that the programmers used are supported. You'll have to consider resource utilization and make sure that you have enough computing power or enough employees to conduct the manual effort that will be required for the tool or method that you're using.

And finally, consider coverage analysis to make sure that all aspects of the system are secure. Interface testing is a usability testing where you determine whether or not a system is functional and how it exchanges data and controls the transfer of data. You will be testing the user interface, the server interface, as well as the internal and external interfaces.

Misuse case testing will help you to determine all of the possible attacks that could occur to an application and this will help your developers create mitigation steps to prevent these attacks. You're basically trying to use hacker techniques against the software. You can attempt to force and exploit errors which occur.

You'll be testing how invalid or unexpected user behavior would be handled by the application, such as a user leaving a required field blank, entering the incorrect data type into a field. For example, entering letters in a phone number field. Exceeding the allowed number of characters or data bounds.

For example, an individual entering 50,000 characters for their zip code, entering unreasonable data such as entering that an individual is -30 years of age. And attempting to open secure web pages without logging in. You should remember misuse case testing for the CISSP examination. And, remember that it is basically using a product in an inappropriate manner in order to determine how it responds, so that an attacker cannot take those same steps to exploit the system.

It is important that you test the software with different types of data input. Typically testing plans are written before the coding even occurs. There are several different types of testing that can be performed and the level of effort increases from the bottom to the top of this slide.

Normal use case would have the least amount of effort and you're basically testing the system with expected valid inputs. Such as entering ten digits for a phone number. Output forcing will require additional effort. Here you're generating selected outputs by choosing specific test inputs. You can test the software for robustness where you're testing with unexpected or invalid inputs.

And finally the most comprehensive type of testing which would require the largest amount of effort is a combination of inputs, where you are testing with multiple different types of inputs. This concludes our software security testing module. Thank you for watching.