2 cissp ® Official Study Guide Eighth Edition

Download 19,3 Mb.

Pdf ko'rish

bet	829/881
Sana	08.04.2023
Hajmi	19,3 Mb.
	#925879

1 ... 825 826 827 828 829 830 831 832 ... 881

Bog'liq
(CISSP) Mike Chapple, James Michael Stewart, Darril Gibson - CISSP Official Study Guide-Sybex (2018)

White-Box Testing
White-box testing examines the internal logical structures of a pro-
gram and steps through the code line by line, analyzing the program for potential errors.
Black-Box Testing
Black-box testing examines the program from a user perspective by
providing a wide variety of input scenarios and inspecting the output. Black-box testers do
not have access to the internal code. Final acceptance testing that occurs prior to system
delivery is a common example of black-box testing.
Gray-Box Testing
Gray-box testing combines the two approaches and is popular for soft-
ware validation. In this approach, testers examine the software from a user perspective,
analyzing inputs and outputs. They also have access to the source code and use it to help
design their tests. They do not, however, analyze the inner workings of the program during
their testing.
In addition to assessing the quality of software, programmers and security professionals
should carefully assess the security of their software to ensure that it meets the organiza-
tion’s security requirements. This is especially critical for web applications that are exposed
to the public. There are two categories of testing used specifically to evaluate application
security:
Static Testing
Static testing evaluates the security of software without running it by ana-
lyzing either the source code or the compiled application. Static analysis usually involves
the use of automated tools designed to detect common software flaws, such as buffer over-
flows. (For more on buffer overflows, see Chapter 21, “Malicious Code and Application
Attacks.”) In mature development environments, application developers are given access to
static analysis tools and use them throughout the design/build/test process.
Dynamic Testing
Dynamic testing evaluates the security of software in a runtime envi-
ronment and is often the only option for organizations deploying applications written by
someone else. In those cases, testers often do not have access to the underlying source code.

Introducing Systems Development Controls
893
One common example of dynamic software testing is the use of web application scanning
tools to detect the presence of cross-site scripting, Structured Query Language (SQL) injec-
tion, or other flaws in web applications. Dynamic tests on a production environment should
always be carefully coordinated to avoid an unintended interruption of service.
Proper software test implementation is a key element in the project development process.
Many of the common mistakes and oversights often found in commercial and in-house
software can be eliminated. Keep the test plan and results as part of the system’s permanent
documentation.

Download 19,3 Mb.

Do'stlaringiz bilan baham:

1 ... 825 826 827 828 829 830 831 832 ... 881