12 hours 57 minutes
in this lesson, we're gonna explain the differences between testing visibility amongst approaches. We also want to talk about
certain differences among security approaches. Such an active versus passive
application security tests and then we want to identify the appropriate test approach for a given business case
before we get into the colour graduation of testing approaches, I want to make one distinction. So there are active application security tests and their passive application security testing approaches. Passive approaches are things such as scanning
vulnerability scans should be run frequently. There are all kinds of different types of scans, whether their network scans or application scans
or potentially their age you of agent based vulnerability testing or scanning.
Now the benefit of this is that
for known vulnerabilities, this scan will find them. He'll tell you the numbers, I can tell you how old the vulnerabilities are, depending on what you're using to do your scanning.
the key difference there is known
if a vulnerability has never been discovered before and doesn't have a specific signature attached to it. The vulnerability scan will not find that vulnerability. So the number of vulnerabilities turned up by the skin represents the number of known vulnerabilities, not all vulnerabilities and the application.
vulnerability scanning is a passive form of application security testing, it is still very powerful
skin. It won't really scanning and subsequent patching is incredibly useful and powerful way to keep the attack surface small and your application secure.
Let's contrast this with active
application security testing. An active application security test is often referred to as a penetration test or security assessment.
And active tests are when you actually have a company who are hired to actually attempt to
penetrate your system and identify vulnerabilities.
These tests come in three different flavors. There's white box testing, gray box testing and black box testing.
The gradation refers to the amount of information the tester has about the environment before beginning the approach.
In a white box test, they may have access to documentation. Network diagrams may actually be given a point of entry into the network before beginning their test.
In a gray box test, they may just be given high level information about how the application is designed. So they know the underlying architecture before their tests. In a black box test, the tester truly has no knowledge of the system, how it's configured and they are starting
Uh from Square one
in terms of which of these tests is most authentic. What an adversary see a black box test really reflects the level of knowledge that are true adversary who is trying to um compromise your network, that's the amount of knowledge that they would have. So the result of a black box test um In many ways represent
the kind of process that a real attacker would go through.
Alright, quiz. Question. What's the following example of gray box testing?
one, an application tester looks through the code for potential application vulnerabilities
two based on documentation to test to perform security tests on an application in a sandbox or three security test of reforms and application test penetration tests without prior knowledge of the application
in this context, Number two is really the best example of gray box testing based on documentation that testers performing security tests on the education in a sandbox. So the tester, it has some knowledge of the system. They are doing their test within a sandbox environment. This can be done for a number of different reasons. Doing active
application security tests
does not come without risk. There can be risk to the availability of the application, disruption of functionality, potential damage of the code. That's why it's always very important to establish the quote rules of engagement when having an active penetration test of an application.
And do anyone who's an application
penetration tester. You always want to establish clear permissions, permission to conduct the tests when it will be done, the duration of the tests, the appropriate methods and any timing constraints related to when the test should be done.
So in summary, we talked about
active vs. Passive application security testing methods and then we talked about the difference between white box grey box and black box testing. All right, I'll see in the next lesson.
Certified Cloud Security Professional (CCSP) Practice Test
This practice test from CyberVista will help you prepare for the Certified Cloud Security Professional ...
Certified Cloud Security Professional (CCSP)
As you develop your skills for a cloud security engineer, architect, or manager role, you’ll ...
13 CEU/CPE Hours Available
Certificate of Completion Offered