Software Development and Security

Questions and Answers

What is a primary function of threat-model-driven testing?

Improving UI design

Ensuring security threats are mitigated correctly (correct)

Managing team communication

Validating user experience

Which type of testing is used to refer to key functional tasks performed by quality assurance?

Penetration testing

Security testing (correct)

Test-driven development

Integration testing

What does penetration testing typically supplement?

Threat modeling (correct)

Quality assurance

Software development

Project management

Which method of penetration testing involves testers being given access to code and designs?

Glass box testing

What is a key aspect of QA'ing threat modeling?

Ensuring model/reality conformance

What should be done if a threat model leads to substantial redesign or architecture changes?

Reassess and possibly revamp the threat model

What should be developed for each identified threat in a threat model?

At least two tests

How should bugs related to threat mitigation be handled before closing the testing phase?

Reviewed and ensured they are closed

Which stage in the software development lifecycle involves testing and validation?

Test-driven development

What type of penetration testing involves testing a system without any prior knowledge of the internal workings?

Black box testing

In threat modeling, what is an important element to verify related to the threat model?

That it closely matches reality

Why are bugs used to track test development?

To increase transparency and accountability

What is the role of QA in the context of threat modeling?

To ensure all processes and tasks related to threats are completed

What type of testing attempts to bypass mitigation efforts?

Threat-model-driven testing

When integrating test processes, what should the creation of tests involve?

The creation and management of tests

Study Notes

Threat Modeling and Testing

• Primary function of threat-model-driven testing is to ensure security threats are mitigated correctly
• Security testing refers to key functional tasks performed by quality assurance (QA)

Penetration Testing

• Penetration testing typically supplements threat modeling
• Types of penetration testing:
  • Black box testing: provides only the software to testers without additional resources
  • Glass box testing: involves testers being given access to code and designs
  • Grey box testing: not mentioned as an answer, but implied as a type
  • White box testing: not mentioned as an answer, but implied as a type

QA and Threat Modeling

• Key aspect of QA'ing threat modeling is ensuring model/reality conformance
• QA's role in threat modeling is to ensure all processes and tasks related to threats are completed
• For each identified threat in a threat model, at least two tests should be developed

Threat Model Changes and Handling Bugs

• If a threat model leads to substantial redesign or architecture changes, reassess and possibly revamp the threat model
• Bugs related to threat mitigation should be reviewed and ensured they are closed before closing the testing phase

Description

Quiz about software development methodologies and security testing, including penetration testing and threat modeling.