Terms related to Advanced Security Tester 2016

A use case in which some actors with malicious intent are causing harm to the system or to other actors.
The exit criteria that a component or system must satisfy in order to be accepted by a user, customer, or other authorized entity.
The process of obtaining user account information based on trial and error with the intention of using that information in a security attack.
The capability of the software product to provide the right or agreed results or effects with the needed degree of precision.
User or any other person or system that interacts with the test object in a specific way.
The behavior produced/observed when a component or system is tested.
The behavior produced/observed when a component or system is tested.
A tool that carries out static analysis.
Software that is used to detect and inhibit malware.
A type of interface in which the components or systems involved exchange information in a defined formal structure.
A path or means by which an attacker can gain access to a system for malicious purposes.
A person or process that attempts to access data, functions or other restricted areas of the system without authorization, potentially with malicious intent.
An independent evaluation of software products or processes to ascertain compliance to standards, guidelines, specifications, and/or procedures based on objective criteria, including documents that specify: the form or content of the products to be produced, the process by which the products shall be produced, and how compliance to standards or guidelines shall be measured.
A procedure determining whether a person or a process is, in fact, who or what it is declared to be.
Permission given to a user or process to access resources.
The degree to which a component or system is operational and accessible when required for use. Often expressed as a percentage.
A superior method or innovative practice that contributes to the improved performance of an organization under given context, usually recognized as "best" by other peer organizations.
A network of compromised computers, called bots or robots, which is controlled by a third party and used to transmit malware or spam, or to launch attacks.
The percentage of branches that have been exercised by a test suite. 100% branch coverage implies both 100% decision coverage and 100% statement coverage.
Bug
A flaw in a component or system that can cause the component or system to fail to perform its required function, e.g., an incorrect statement or data definition. A defect, if encountered during execution, may cause a failure of the component or system.
A document reporting on any flaw in a component or system that can cause the component or system to fail to perform its required function.
An analysis technique aimed at identifying the root causes of defects. By directing corrective measures at root causes, it is hoped that the likelihood of defect recurrence will be minimized.
(1) A structured approach to transitioning individuals and organizations from a current state to a desired future state. (2) Controlled way to effect a change, or a proposed change, to a product or service.
Testing based on an analysis of the internal structure of the component or system.
Testing based on an analysis of the internal structure of the component or system.
A standard that describes the characteristics of a design or a design description of data or program components.
A software product that is developed for the general market, i.e. for a large number of customers, and that is delivered to many customers in identical format.
A software tool that translates programs expressed in a high-order language into their machine language equivalents.
The set of generic and specific conditions, agreed upon with the stakeholders for permitting a process to be officially completed. The purpose of exit criteria is to prevent a task from being considered completed when there are still outstanding parts of the task which have not been finished. Exit criteria are used to report against and to plan when to stop testing.
The degree to which a component or system has a design and/or internal structure that is difficult to understand, maintain and verify.
The capability of the software product to adhere to standards, conventions or regulations in laws and similar prescriptions.
A minimal software item that can be tested in isolation.
Testing performed to expose defects in the interfaces and interactions between integrated components.
The testing of individual software components.
The practice of determining how a security attack has succeeded and assessing the damage caused.
The composition of a component or system as defined by the number, nature, and interconnections of its constituent parts.
A discipline applying technical and administrative direction and surveillance to identify and document the functional and physical characteristics of a configuration item, control changes to those characteristics, record and report change processing and implementation status, and verify compliance with specified requirements.
Testing that runs test cases that failed the last time they were run, in order to verify the success of corrective actions.
A sequence of events (paths) in the execution through a component or system.
An abstract representation of all possible sequences of events (paths) in the execution through a component or system.
A sequence of events, e.g., executable statements, of a component or system from an entry point to an exit point.
The degree, expressed as a percentage, to which a specified coverage item has been exercised by a test suite.
A vulnerability that allows attackers to inject malicious code into an otherwise benign website.
The maximum number of linear, independent paths through a program. Cyclomatic complexity may be computed as L = N + 2P, where L = the number of edges/links in a graph, N = the number of nodes in a graph, P = the number of disconnected parts of the graph (e.g., a called graph or subroutine).
The maximum number of linear, independent paths through a program. Cyclomatic complexity may be computed as L = N + 2P, where L = the number of edges/links in a graph, N = the number of nodes in a graph, P = the number of disconnected parts of the graph (e.g., a called graph or subroutine).
A representation of dynamic measurements of operational performance for some organization or activity, using metrics represented via metaphors such as visual dials, counters, and other devices resembling those on the dashboard of an automobile, so that the effects of events or activities can be easily understood and related to operational goals.
An abstract representation of the sequence and possible changes of the state of data objects, where the state of an object is any of creation, usage, or destruction.
Data transformation that makes it difficult for a human to recognize the original data.
The protection of personally identifiable information or otherwise sensitive information from undesired disclosure.
A scripting technique that stores test input and expected results in a table or spreadsheet, so that a single control script can execute all of the tests in the table. Data-driven testing is often used to support the application of test execution tools such as capture/playback tools.
The process of finding, analyzing and removing the causes of failures in software.
A program point at which the control flow has two or more alternative routes. A node with two or more links to separate branches.
The result of a decision (which therefore determines the branches to be taken).
A flaw in a component or system that can cause the component or system to fail to perform its required function, e.g., an incorrect statement or data definition. A defect, if encountered during execution, may cause a failure of the component or system.
A document reporting on any flaw in a component or system that can cause the component or system to fail to perform its required function.
The set of generic and specific conditions, agreed upon with the stakeholders for permitting a process to be officially completed. The purpose of exit criteria is to prevent a task from being considered completed when there are still outstanding parts of the task which have not been finished. Exit criteria are used to report against and to plan when to stop testing.
A physical or logical subnetwork that contains and exposes an organization's external-facing services to an untrusted network, commonly the Internet.
A security attack that is intended to overload the system with requests such that legitimate requests cannot be serviced.
Any event occurring that requires investigation.
A document reporting on any event that occurred, e.g., during the testing, which requires investigation.
A software component or test tool that replaces a component that takes care of the control and/or the calling of a component or system.
The process of evaluating behavior, e.g., memory performance, CPU usage, of a system or component during execution.
Testing that involves the execution of the software of a component or system.
The capability of producing an intended result.
(1) The capability of the software product to provide appropriate performance, relative to the amount of resources used, under stated conditions. (2) The capability of a process to produce the intended outcome, relative to the amount of resources used.
The process of encoding information so that only authorized parties can retrieve the original information, usually by means of a specific decryption key or process.
A portion of an input or output domain for which the behavior of a component or system is assumed to be the same, based on the specification.
A portion of an input or output domain for which the behavior of a component or system is assumed to be the same, based on the specification.
A human action that produces an incorrect result.
A security tester using hacker techniques.
A statement which, when compiled, is translated into object code, and which will be executed procedurally when the program is running and may perform an action on data.
The set of generic and specific conditions, agreed upon with the stakeholders for permitting a process to be officially completed. The purpose of exit criteria is to prevent a task from being considered completed when there are still outstanding parts of the task which have not been finished. Exit criteria are used to report against and to plan when to stop testing.
The behavior predicted by the specification, or another source, of the component or system under specified conditions.
The behavior predicted by the specification, or another source, of the component or system under specified conditions.
Deviation of the component or system from its expected delivery, service or result.
A flaw in a component or system that can cause the component or system to fail to perform its required function, e.g., an incorrect statement or data definition. A defect, if encountered during execution, may cause a failure of the component or system.
A distinguishing characteristic of a component or system.
A component or set of components that controls incoming and outgoing network traffic based on predetermined security rules.
The exploration of a target area aiming to gain information that can be useful for an attack.
A requirement that specifies a function that a component or system must perform.
Testing based on an analysis of the specification of the functionality of a component or system.
The capability of the software product to provide functions which meet stated and implied needs when the software is used under specified conditions.
A software testing technique used to discover security vulnerabilities by inputting massive amounts of random data, called fuzz, to the component or system.
A software testing technique used to discover security vulnerabilities by inputting massive amounts of random data, called fuzz, to the component or system.
Testing based on an analysis of the internal structure of the component or system.
A type of interface that allows users to interact with a component or system through graphical icons and visual indicators.
A person or organization who is actively involved in security attacks, usually with malicious intent.
Transformation of a variable length string of characters into a usually shorter fixed-length value or key. Hashed values, or hashes, are commonly used in table or database lookups. Cryptographic hash functions are used to secure data.
A generally recognized rule of thumb that helps to achieve a goal.
The damage that will be caused if the risk becomes an actual outcome or event.
Any event occurring that requires investigation.
The process of recognizing, investigating, taking action and disposing of incidents. It involves logging incidents, classifying them and identifying the impact.
A document reporting on any event that occurred, e.g., during the testing, which requires investigation.
A measure that can be used to estimate or predict another measure.
Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.
Attributes of software products that bear on its ability to prevent unauthorized access, whether accidental or deliberate, to programs and data.
A variable (whether stored within a component or outside) that is read by a component.
A security threat originating from within the organization, often by an authorized system user.
A type of peer review that relies on visual examination of documents to detect defects, e.g., violations of development standards and non-conformance to higher level documentation. The most formal review technique and therefore always based on a documented procedure.
The process of combining components or systems into larger assemblies.
Testing performed to expose defects in the interfaces and in the interactions between integrated components or systems.
A system which monitors activities on the 7 layers of the OSI model from network to application level, to detect violations of the security policy.
A metric that supports the judgment of process performance.
A partitioning of the life of a product or project into phases.
The estimated probability that a risk will become an actual outcome or event.
Testing performed to expose defects in the interfaces and interactions between integrated components.
Testing based on an analysis of the internal structure of the component or system.
Testing based on an analysis of the internal structure of the component or system.
Modification of a software product after delivery to correct defects, to improve performance or other attributes, or to adapt the product to a modified environment.
Software that is intended to harm a system or its components.
Static analysis aiming to detect and remove malicious code received at an interface.
The number or category assigned to an attribute of an entity by making a measurement.
A measurement scale and the method used for measurement.
A point in time in a project at which defined (intermediate) deliverables and results should be ready.
A human action that produces an incorrect result.
Testing based on or involving models.
A minimal software item that can be tested in isolation.
The testing of individual software components.
Multiple heterogeneous, distributed systems that are embedded in networks at multiple levels and in multiple interconnected domains, addressing large-scale inter-disciplinary common problems and purposes, usually without a common management structure.
A sub-network with a defined level of trust. For example, the Internet or a public zone would be considered to be untrusted.
A software product that is developed for the general market, i.e. for a large number of customers, and that is delivered to many customers in identical format.
A software tool that is available to all potential users in source code form, usually via the internet. Its users are permitted, usually under license, to study, change, improve and, at times, to distribute the software.
Hardware and software products installed at users' or customers' sites where the component or system under test will be used. The software may include operating systems, database management systems, and other applications.
A high-level document describing the principles, approach and major objectives of the organization regarding testing.
A high-level description of the test levels to be performed and the testing within those levels for an organization or programme (one or more projects).
The consequence/outcome of the execution of a test. It includes outputs to screens, changes to data, reports, and communication messages sent out.
A variable (whether stored within a component or outside) that is written by a component.
A security attack recovering secret passwords stored in a computer system or transmitted over a network.
A sequence of events, e.g., executable statements, of a component or system from an entry point to an exit point.
The percentage of paths that have been exercised by a test suite.
A white-box test design technique in which test cases are designed to execute paths.
A testing technique aiming to exploit security vulnerabilities (known or unknown) to gain unauthorized access.
The degree to which a system or component accomplishes its designated functions within given constraints regarding processing time and throughput rate.
A metric that supports the judgment of process performance.
A security attack intended to redirect a web site's traffic to a fraudulent web site without the user's knowledge or consent.
An attempt to acquire personal or sensitive information by masquerading as a trustworthy entity in an electronic communication.
Environmental and state conditions that must be fulfilled after the execution of a test or test procedure.
The behavior predicted by the specification, or another source, of the component or system under specified conditions.
The level of (business) importance assigned to an item, e.g., defect.
A set of interrelated activities, which transform inputs into outputs.
A program of activities designed to improve the performance and maturity of the organization's processes, and the result of such a program.
A framework in which processes of the same nature are classified into an overall model.
A project is a unique set of coordinated and controlled activities with start and finish dates undertaken to achieve an objective conforming to specific requirements, including the constraints of time, cost and resources.
Part of quality management focused on providing confidence that quality requirements will be fulfilled.
A category of product attributes that bears on quality.
Testing that runs test cases that failed the last time they were run, in order to verify the success of corrective actions.
The exploration of a target area aiming to gain information that can be useful for an attack.
Testing of a previously tested program following modification to ensure that defects have not been introduced or uncovered in unchanged areas of the software, as a result of the changes made. It is performed when the software or its environment is changed.
A condition or capability needed by a user to solve a problem or achieve an objective that must be met or possessed by a system or system component to satisfy a contract, standard, specification, or other formally imposed document.
A tool that supports the recording of requirements, requirements attributes (e.g., priority, knowledge responsible) and annotation, and facilitates traceability through layers of requirements and requirements change management. Some requirements management tools also provide facilities for static analysis, such as consistency checking and violations to pre-defined requirements rules.
An approach to testing in which test cases are designed based on test objectives and test conditions derived from requirements, e.g., tests that exercise specific functions or probe non-functional attributes such as reliability or usability.
An evaluation of a product or project status to ascertain discrepancies from planned results and to recommend improvements. Examples include management review, informal review, technical review, inspection, and walkthrough.
A factor that could result in future negative consequences.
The process of assessing identified project or product risks to determine their level of risk, typically by estimating their impact and probability of occurrence (likelihood).
The process of identifying and subsequently analyzing the identified project or product risk to determine its level of risk, typically by assigning likelihood and impact ratings.
The importance of a risk as defined by its characteristics impact and likelihood. The level of risk can be used to determine the intensity of testing to be performed. A risk level can be expressed either qualitatively (e.g., high, medium, low) or quantitatively.
The process of identifying risks using techniques such as brainstorming, checklists and failure history.
The damage that will be caused if the risk becomes an actual outcome or event.
The importance of a risk as defined by its characteristics impact and likelihood. The level of risk can be used to determine the intensity of testing to be performed. A risk level can be expressed either qualitatively (e.g., high, medium, low) or quantitatively.
The estimated probability that a risk will become an actual outcome or event.
Systematic application of procedures and practices to the tasks of identifying, analyzing, prioritizing, and controlling risk.
The process through which decisions are reached and protective measures are implemented for reducing risks to, or maintaining risks within, specified levels.
An analysis technique aimed at identifying the root causes of defects. By directing corrective measures at root causes, it is hoped that the likelihood of defect recurrence will be minimized.
A cryptographic technique that adds random data (salt) to the user data prior to hashing.
The capability of the software product to be upgraded to accommodate increased loads.
A person who executes security attacks that have been created by other hackers rather than creating one's own attacks.
Attributes of software products that bear on its ability to prevent unauthorized access, whether accidental or deliberate, to programs and data.
An attempt to gain unauthorized access to a component or system, resources, information, or an attempt to compromise system integrity.
An audit evaluating an organization's security processes and infrastructure.
A high-level document describing the principles, approach and major objectives of the organization regarding security.
A set of steps required to implement the security policy and the steps to be taken in response to a security incident.
A quality risk related to security.
Testing to determine the security of the software product.
A tool that supports operational security.
A weakness in the system that could allow for a successful security attack.
The degree of impact that a defect has on the development or operation of a component or system.
An attempt to trick someone into revealing information (e.g., a password) that can be used to attack systems or networks.
Computer programs, procedures, and possibly associated documentation and data pertaining to the operation of a computer system.
The activities performed at each stage in software development, and how they relate to one another logically and chronologically.
A distinguishing characteristic of a component or system.
The period of time that begins when a software product is conceived and ends when the software is no longer available for use. The software lifecycle typically includes a concept phase, requirements phase, design phase, implementation phase, test phase, installation and checkout phase, operation and maintenance phase, and sometimes, retirement phase. Note these phases may overlap or be performed iteratively.
Any event occurring that requires investigation.
A document reporting on any event that occurred, e.g., during the testing, which requires investigation.
An entity in a programming language, which is typically the smallest indivisible unit of execution.
Documentation that provides a detailed description of a component or system for the purpose of developing and testing it.
A security attack inserting malicious SQL statements into an entry field for execution.
Formal, possibly mandatory, set of requirements developed and used to prescribe consistent approaches to the way of working or to provide guidelines (e.g., ISO/IEC standards, IEEE standards, and organizational standards).
A transition between two states of a component or system.
An entity in a programming language, which is typically the smallest indivisible unit of execution.
The percentage of executable statements that have been exercised by a test suite.
Analysis of software development artifacts, e.g., requirements or code, carried out without execution of these software development artifacts. Static analysis is usually carried out by means of a supporting tool.
A tool that carries out static analysis.
A tool that carries out static analysis.
Testing of a software development artifact, e.g., requirements, design or code, without execution of these artifacts, e.g., reviews or static analysis.
Testing based on an analysis of the internal structure of the component or system.
Testing based on an analysis of the internal structure of the component or system.
A step-by-step presentation by the author of a document in order to gather information and to establish a common understanding of its content.
A skeletal or special-purpose implementation of a software component, used to develop or test a component that calls or is otherwise dependent on it. It replaces a called component.
A collection of components organized to accomplish a specific function or set of functions.
The step-by-step process of reducing the security vulnerabilities of a system by applying a security policy and different layers of protection.
Testing the integration of systems and packages; testing interfaces to external organizations (e.g., Electronic Data Interchange, Internet).
Multiple heterogeneous, distributed systems that are embedded in networks at multiple levels and in multiple interconnected domains, addressing large-scale inter-disciplinary common problems and purposes, usually without a common management structure.
Testing an integrated system to verify that it meets specified requirements.
A peer group discussion activity that focuses on achieving consensus on the technical approach to be taken.
A set of one or more test cases.
The process of analyzing the test basis and defining test objectives.
The implementation of the test strategy for a specific project. It typically includes the decisions made that follow based on the (test) project's goal and the risk assessment carried out, starting points regarding the test process, the test design techniques to be applied, exit criteria and test types to be performed.
(1) A person who provides guidance and strategic direction for a test organization and for its relationship with other disciplines. (2) A person who defines the way testing is structured for a given system, including topics such as test tools and test data management.
All documents from which the requirements of a component or system can be inferred. The documentation on which the test cases are based. If a document can be amended only by way of formal amendment procedure, then the test basis is called a frozen test basis.
An environment containing hardware, instrumentation, simulators, software tools, and other support elements needed to conduct a test.
A set of input values, execution preconditions, expected results and execution postconditions, developed for a particular objective or test condition, such as to exercise a particular program path or to verify compliance with a specific requirement.
During the test closure phase of a test process data is collected from completed activities to consolidate experience, testware, facts and numbers. The test closure phase consists of finalizing and archiving the testware and evaluating the test process, including preparation of a test evaluation report.
The set of generic and specific conditions, agreed upon with the stakeholders for permitting a process to be officially completed. The purpose of exit criteria is to prevent a task from being considered completed when there are still outstanding parts of the task which have not been finished. Exit criteria are used to report against and to plan when to stop testing.
An item or event of a component or system that could be verified by one or more test cases, e.g., a function, transaction, feature, quality attribute, or structural element.
The degree, expressed as a percentage, to which a specified coverage item has been exercised by a test suite.
Data that exists (for example, in a database) before a test is executed, and that affects or is affected by the component or system under test.
A software component or test tool that replaces a component that takes care of the control and/or the calling of a component or system.
An environment containing hardware, instrumentation, simulators, software tools, and other support elements needed to conduct a test.
The process of running a test on the component or system under test, producing actual result(s).
A test tool that executes tests against a designated test item and evaluates the outcomes against expected results and postconditions.
The process of developing and prioritizing test procedures, creating test data and, optionally, preparing test harnesses and writing automated test scripts.
Any event occurring that requires investigation.
A document reporting on any event that occurred, e.g., during the testing, which requires investigation.
The data received from an external source by the test object during test execution. The external source can be hardware, software or human.
A tool that provides support to the test management and control part of a test process. It often has several capabilities, such as testware management, scheduling of tests, the logging of results, progress tracking, incident management and test reporting.
The person responsible for project management of testing activities and resources, and evaluation of a test object. The individual who directs, controls, administers, plans and regulates the evaluation of a test object.
The component or system to be tested.
A reason or purpose for designing and executing a test.
The consequence/outcome of the execution of a test. It includes outputs to screens, changes to data, reports, and communication messages sent out.
A document describing the scope, approach, resources and schedule of intended test activities. It identifies amongst others test items, the features to be tested, the testing tasks, who will do each task, degree of tester independence, the test environment, the test design techniques and entry and exit criteria to be used, and the rationale for their choice, and any risks requiring contingency planning. It is a record of the test planning process.
The activity of establishing or updating a test plan.
A high-level document describing the principles, approach and major objectives of the organization regarding testing.
A document specifying a sequence of actions for the execution of a test. Also known as test script or manual test script.
The fundamental test process comprises test planning and control, test analysis and design, test implementation and execution, evaluating exit criteria and reporting, and test closure activities.
Collecting and analyzing data from testing activities and subsequently consolidating the data in a report to inform stakeholders.
An item or event of a component or system that could be verified by one or more test cases, e.g., a function, transaction, feature, quality attribute, or structural element.
The consequence/outcome of the execution of a test. It includes outputs to screens, changes to data, reports, and communication messages sent out.
An environment containing hardware, instrumentation, simulators, software tools, and other support elements needed to conduct a test.
A document specifying a sequence of actions for the execution of a test. Also known as test script or manual test script.
An item or event of a component or system that could be verified by one or more test cases, e.g., a function, transaction, feature, quality attribute, or structural element.
A document that consists of a test design specification, test case specification and/or test procedure specification.
A high-level description of the test levels to be performed and the testing within those levels for an organization or programme (one or more projects).
A software product that supports one or more test activities, such as planning and control, specification, building initial files and data, test execution and test analysis.
A group of test activities aimed at testing a component or system focused on a specific test objective, i.e. functional test, usability test, regression test etc. A test type may take place on one or more test levels or test phases.
The capability of the software product to enable modified software to be tested.
A skilled professional who is involved in the testing of a component or system.
The process consisting of all lifecycle activities, both static and dynamic, concerned with planning, preparation and evaluation of software products and related work products to determine that they satisfy specified requirements, to demonstrate that they are fit for purpose and to detect defects.
The capability of the software product to enable the user to understand whether the software is suitable, and how it can be used for particular tasks and conditions of use.
A minimal software item that can be tested in isolation.
The testing of individual software components.
The capability of the software to be understood, learned, used and attractive to the user when used under specified conditions.
A sequence of transactions in a dialogue between an actor and a component or system with a tangible result, where an actor can be a user or anything that can exchange information with the system.
All components of a system that provide information and controls for the user to accomplish specific tasks with the system.
Confirmation by examination and through provision of objective evidence that the requirements for a specific intended use or application have been fulfilled.
An element of storage in a computer that is accessible by a software program by referring to it by a name.
Confirmation by examination and through provision of objective evidence that specified requirements have been fulfilled.
A static analyzer that is used to detect particular security vulnerabilities in the code.
A step-by-step presentation by the author of a document in order to gather information and to establish a common understanding of its content.
Testing based on an analysis of the internal structure of the component or system.