1. 4.2.3 Explain Testing For Security Quality Assurance
1.1. a. Conformance Testing
1.1.1. also known as conformity assessment, compliance testing, or type testing
1.1.2. to determine whether a process, product, or services complies with the requirements of a specification, technical standard, contract, or regulation.
1.1.3. Testing is often either logical testing or physical testing
1.1.4. Conformance testing is performed preferably by independent organizations, which may be the standards body itself, to give sound assurance of compliance.
1.1.5. Aside from the various types of testing, related conformance testing activities include:
1.1.5.1. surveillance
1.1.5.2. inspection
1.1.5.3. auditing
1.1.5.4. certification
1.1.5.5. accreditation
1.2. b. Functional Testing
1.2.1. Functional Testing is a quality assurance (QA) process and a type of black-box testing that bases its test cases on the specifications of the software component under test.
1.2.2. Functions are tested by feeding them input and examining the output.
1.2.3. Functional testing usually describes what the system does.
1.2.4. Functional testing does not imply that you are testing a function (method) of your module or class. Functional testing tests a slice of functionality of the whole system,
1.3. c. Performance Testing
1.3.1. Performance Testing is a testing practice performed to determine how a system performs in terms of responsiveness and stability under a particular workload.
1.3.2. testing types:
1.3.2.1. load testing
1.3.2.1.1. Load testing ascertains whether or not the system performs optimally when it is being used by multiple users at the same time.
1.3.2.2. stress testing
1.3.2.2.1. Stress testing validates the responsiveness, reliability, and stability of the cloud infrastructure under extremely high load.
1.3.2.3. soak testing / endurance testing
1.3.2.3.1. Soak testing measures the performance of a system when it is exposed to heavy traffic for an extended duration to validate its behavior in the production environment.
1.3.2.4. spike testing
1.3.2.4.1. Spike Testing is a performance testing type used to test software applications with extreme increments and decrements in load.
1.3.2.5. configuration testing
1.3.2.5.1. Configuration Testing is a software testing technique in which the software application is tested with multiple combinations of software and hardware in order to evaluate the functional requirements and find out optimal configurations under which the software application works without any defects or flaws.
2. 4.2.4 Explain Cloud Computing and Business Continuity Planning or Disaster Recovery.
2.1. Business Continuity
2.1.1. Business Continuity Plan (BCP) is the process involved in creating a system of prevention and recovery from potential threats to a company. BCP is different from a disaster recovery plan, which focuses on the recovery of a company's IT system after a crisis.
2.2. Disaster Recovery
2.2.1. Disaster Recovery Plan (DRP) is a plan that describes how work can be resumed quickly and effectively after a disaster. DRP is just part of BCP and applied to organization that rely on an IT infrastructure to function.
3. 4.2.5 Describe General Principles and Practices.
3.1. Business Continuity Planning
3.1.1. why choose bussiness continuity planning?
3.1.1.1. the intended outcome of proper execution of Business continuity planning and Disaster recovery. It is the payoff for cost-effective buying of spare machines and servers, performing backups and bringing them off-site, assigning responsibility, performing drills, educating employees and being vigilant.
3.1.2. The analysis phase
3.1.2.1. impact analysis threat analysis and impact scenarios.
3.1.3. HOW WILL THE CLOUD STRENGTHEN BUSINESS CONTINUITY?
3.1.3.1. EC-Council Disaster Recovery Professional (EDRP) certification certifies IT professionals, cybersecurity experts, BC/DR experts, CISOs, IT directors, and other cybersecurity enthusiasts in the field of business continuity
3.2. Disaster Recovery Planning
3.2.1. Why Choose Disaster Recovery
3.2.1.1. The primary goal of disaster recovery is to minimize the overall impact of a disaster on business performance.In case of disaster, critical workloads can be failed over to a DR site in order to resume business operations.
3.2.2. Design a Cloud-Based Disaster Recovery Plan
3.2.2.1. An effective cloud-based DR plan should include the following steps: 1. Perform a risk assessment and business impact analysis. 2. Choose prevention, preparedness, response, and recovery measures. 3. Test and update your cloud-based DR plan.
3.2.3. Bakcup and Disaster Recovery in Cloud Computing
3.2.3.1. 1. Infrastructure as a service (IaaS) allows you to rent IT infrastructure, including servers, storages and network component, from the cloud vendor. 2. Platform as a service (PaaS) allows you to rent a computing platform from the cloud provider for developing, testing, and configuring software applications. 3. Software as a service (SaaS) allows you to access software applications which are hosted on the cloud.
4. 4.2.2 Secure Cloud Software Testing
4.1. Organizations pursuing testing in general and load, performance testing and production service monitoring in particular are challenged by several problems:
4.1.1. limited test budget
4.1.2. meeting deadline
4.1.3. high costs per test
4.1.4. large number of test cases
4.1.5. little or no reuse of tests
4.1.6. little or no reuse of tests
4.1.7. geographical distribution of users
4.2. Cloud Testing is the solution to all problems and make it more:
4.2.1. effective unlimited storage
4.2.2. quick availability of the infrastructure with scalability, flexibility and availability of distributed testing environment reduce the execution time of testing of large applications and lead to cost-effective solutions.
5. 4.2.1 Explain Secure Development Practices
5.1. Handling data
5.1.1. some data is more sensitive and requires special handling.
5.2. Code practices
5.2.1. Care must be taken not to expose too much information that would-be attacker.
5.3. Language options
5.3.1. Consider the strengths and weakness of the language used.
5.4. Input validation and content injection
5.4.1. Data (content) entered by a user should never have direct access to a command or a query.
5.5. Physical security of the system
5.5.1. Physical access to the cloud servers should be restricted.