Application Security Theory¶
What is...¶
A Software bug?¶
In software, a bug refers to an error in code which causes it to behave unexpectedly (i.e. crash). The term originates from an actual bug, a moth, that crashed an early computer. Bugs are usually found either during unit testing built by the software developer or with module testing found by the QA teams.
A Software defect?¶
A defect is found when the application does not conform to the requirement specification. A defect can also be found when the client or user is testing or when an error is found and a fix is in development.
A Software vulnerability?¶
A vulnerability is a software bug or defect that can potentially be exploited for malicious intent.
A Known vulnerability?¶
A known vulnerability refers to a bug that has been reported to the vendor and may have a workaround or a patch available. These vulnerabilities are assigned by MITRE a number known as a Common Vulnerability Enumeration (CVE). A CVE includes year of discovery and sequence number, so CVE 2020-0654
An unknown, or zero day, vulnerability?¶
A zero-day vulnerability refers to a bug or defect that has not been reported to the vendor and therefore does not yet have a workaround or patch available. These unknown vulnerabilities are valuable to malicious actors who can exploit these for years without detection. For example the Heartbleed vulnerability, which gave bad actors the opportunity to extract private information from websites, was in the wild for nearly two years before it was discovered.
White-box testing?¶
White-box (Known) testing examines the functionality of an application with access to its internal structure. It is also known as Clear Box Testing, Open Box Testing, Glass Box Testing, Transparent Box Testing, Code-Based Testing or Structural Testing.
Black-box testing?¶
Black-box (unknown) testing examines the functionality of an application without access to itâs internal structure or code. It can be applied to third-party binaries, for example.
Gray-box testing?¶
Gray-box testing is a mixture of white-box (known) and black-box (unknown) testing.
Positive, or deterministic, testing?¶
Positive testing, or functional testing, is a testing process where an application is sent a valid set of inputs. The purpose of positive testing is to ensure the application behaves as expected. While this type of testing is typically conducted by QA teams, modern DevOps shops may collaborate closely with security or development teams.
Negative, or nondeterministic, testing?¶
Negative testing, or non-functional testing, is a testing process where an application is sent an invalid set of inputs. The purpose of negative testing is to ensure the application remains stable in unexpected use cases. While this type of testing is typically conducted by security teams, modern DevOps shops may collaborate closely with QA or development teams.
Unit testing?¶
Unit testing tests individual units/components of software. A unit is the smallest, testable part of any software. It usually has one or a few inputs. It usually has only a single output.
Property-based testing?¶
A property-based test allows for a range of inputs to be programmed and tested within a single test, rather than having to write a different test for every value that you want to test.
Regression testing?¶
Regression testing is defined as re-running both function and non-functional tests to make sure that code previously tested and developed still runs after making any changes. If the code doesnât run properly after a change, then then that is considered to be a regression.
Test, or code, coverage?¶
Test coverage, also referred to as code coverage, measures how much a program has been exercised by a test suite. Mayhem uses the edge coverage metric, which measures the number of control flow graph edges that have been exercised.
The difference between a SDL and a SDLC?¶
SDL refers to Secure Development Lifecycle, which is the process of embedding security testing throughout the entire software cycle. SDLC refers to Software Development Lifecycle, which defines the different phases that a software product goes through from beginning to end of its life. In the SDLC sequence Training, Requirements, Design, Implementation, Verification, Release, and Response. As a part of the SDL, Fuzz Testing appears under Verification.