D385 Software Security and Testing UPDATED Questions and CORRECT Answers

D385 Software Security and Testing
UPDATED Questions and CORRECT
Answers
What is the primary defense against log injection attacks? - CORRECT ANSWER -
Sanitize outbound log messages


Sanitizing - CORRECT ANSWER -Sanitizing is the process of cleansing, filtering, or
altering data to eliminate sensitive, harmful, or inappropriate content. It often involves validation
and transformation of data to ensure its integrity and security.


In the context of outbound log messages, sanitizing is the practice of reviewing and modifying
log data to remove sensitive or confidential information, validate its correctness, and ensure that
it adheres to security and privacy standards before it's shared with external systems or users.


How to spot -

Log Injection - CORRECT ANSWER -- Look for Unsanitized User Input
- Examine Log Functions
- Check for User-Controlled Data


Defensive Programming - CORRECT ANSWER -a software development approach that
aims to create robust and secure software by anticipating and guarding against unexpected
failures and security vulnerabilities.


It involves implementing error handling, input validation, and security measures to protect the
software from unexpected inputs, attacks, or faults, thereby enhancing its reliability and security.


Static Testing - CORRECT ANSWER -a type of software testing that examines the source
code, design, or documentation without executing the program. It aims to identify defects early
in the development process.

,white box


Dynamic Testing - CORRECT ANSWER -a software testing technique that involves
executing the program or application with test cases to observe its behavior at runtime. It aims to
find defects related to functionality, performance, and reliability


white-box, black-box, grey-box


Fuzz Testing (Fuzzy Testing) - CORRECT ANSWER -a testing technique that involves
providing unexpected or random inputs to a software application to discover vulnerabilities,
crashes, or unexpected behavior. It is commonly used for security testing


black-box


Unit Testing - CORRECT ANSWER -a level of software testing where smallest individual
components - units of a software application are tested in isolation to ensure they work as
intended. It helps identify and fix issues at the smallest functional level.


white box


frequency: as soon as an unit is complete, before it moves on


advantages: done early, easier to find root cause


disadvantages: tunnel vision since performed the developer, less formal


Integration Testing - CORRECT ANSWER -a level of software testing that focuses on
testing the interactions between different units or modules of a software application. It ensures
that the integrated components work together correctly


grey box

, frequency: usually when 2 or more units get integrated, team specific guidelines, done by
developers or specialized teams


advantages: more formal, manual /tools


patterns:
- client /server integration
- collaboration integration (mars probe metric vs us)
- distributed services integration
- layer integration


Regression Testing - CORRECT ANSWER -Regression testing is a type of testing
performed to verify that recent code changes or updates do not introduce new defects or
negatively impact existing functionality. It typically involves re-running previous test cases.


grey-box or black-box


frequency: when a change is made, to verify that the change didn't reintroduce problems, testing
team


disadvantages: could be implemented poorly (radiation 8 ppl died)


Patterns:
- regress all
- regress some


User Acceptance Testing (UAT) - CORRECT ANSWER -a phase of software testing
where end users or clients test the software to ensure it meets their requirements and is ready for
production use. It validates that the software aligns with user expectations.