Testing Methods of software products..
b"
hello everyone my name is vijay kumar Devireddy and i am glad to have you back on my episode 43 today we are discussing about In this lesson we're going to focus on the different testing methods that you may use to help your organization's developers secure their code.Most security analysts are not programmers themself,so the Security+ exam isn't focused on the specific types of code reviews like pair programming, over the shoulder reviews,and others.Instead the episode focuses on just a handful of testing methods that an entry level security analyst might conduct.The first type of testing is known as system testing.This comes in three varieties:black-box testing, white-box testing, and gray-box testing.Black-box testing occurs when a tester is not given any information about the system or program before beginning their test.For example, if I create a program and I wanted you to conduct this type of a test,I might simply hand you a copy of the executable program on a disk and then it's up to you to figure out how it functions, how to bypass any security I may have coded into it,and if you can crash it by entering in incorrect information.Essentially you're going to be getting your testing without any sense of what the program does or how it functions.As a tester, you're essentially blind to start with and you discover your way around the program or system through your testing.White-box testing on the other hand is the exact opposite.In white-box testing, the tester is given the details of the inner workings of the program or system.This may even include access to the full source code of that program, diagrams of the system,user access credentials, logons, and more.The third type of testing is called gray-box testing.This is a mixture of black-box and white-box where the tester is given some amount of information about the system and conducts his testing as if he doesn't have full access to it.For example, a gray-box tester might be given user level credentials to test a system,but not given administrative credentials.If you're testing a network system,you may be given some information like the IP address of different devices,but you're not given the version of the software that's running on each device.As a part of these system tests,you're often attempting to break the system by attempting to stress that system or create an exception.It's important that programmers have coded their applications to fail securely,and to ensure this happens you're going to purposely create error conditions to cause an error to occur and see how the system is going to react to it.If the program is running when the error occurs, the error is known as a runtime error.If the program fails to run because of a coding error,this is known as a syntax error.This is because the most common cause of this type of error in programming is when a programmer doesn't put the proper syntax expected by that programming language,such as leaving out a closing parenthese or missing a semicolon inside their code.As a security analyst, you're much more likely to experience a runtime error than a syntax error you're testing these things on a live environment.Now,when you create an error, this is also known as an exception,you need to be able to have a way to handle this properly and gather the details of the error and what caused it.
"