AIA Interview Preparation

Terminology

What is Web Application Security Testing?

A security test is a method of evaluating the security of a computer system or network by methodically validating and verifying the effectiveness of application security controls.

What is a Vulnerability?

A vulnerability is a flaw or weakness in a system’s design, implementation, operation or management that could be exploited to compromise the system’s security objectives.

What is a Threat?
A threat is anything (a malicious external attacker, an internal user, a system instability, etc) that may harm the assets owned by an appli- cation (resources of value, such as the data in a database or in the file system) by exploiting a vulnerability.

Black box testing
Black box testing refers to testing a system without having specific knowledge to the internal workings of the system, no access to the source code, and no knowledge of the architecture.

White box testing
White box testing, which is also known as clear box testing, refers to testing a system with full knowledge and access to all source code and architecture documents. Having full access to this information can reveal bugs and vulnerabilities more quickly than the "trial and error" method of black box testing. Additionally, you can be sure to get more complete testing coverage by knowing exactly what you have to test.

Gray box testing
When we talk about gray box testing, we're talking about testing a system while having at least some knowledge of the internals of a system. This knowledge is usually constrained to detailed design documents and architecture diagrams. It is a combination of both black and white box testing, and combines aspects of each.

STRIDE

  • Spoofing Identity
  • Tampering with Data
  • Repudiation
  • Information Disclosure
  • Denial of Service
  • Elevation of Privilege

Threat modeling

Threat modeling is the process of reviewing a software applications architecture and identifying the threats applicable to this software.The goal of threat modeling is to enable development organizations to efficiently deliver software with a high confidence that all classes of attacks and vulnerabilities are accounted for.

Show Comments