SlideShare a Scribd company logo

6. Security Assessment and Testing

Sam Bowne
Sam Bowne

For a Summer 2019 CISSP class. Details at https://samsclass.info/125/125_Sum19.shtml

Education
1 of 25
Download to read offline
CNIT 125: Information Security Professional (CISSP Preparation) Ch 6. Security Assessment and Testing
Assessing Access Control
Penetration Testing • Authorized white hat hacker breaks into an organization
Social Engineering • Exploiting the human mind • Often tricks the user into clicking a link • Zero-knowledge (black box) test • No information provided to attacker • Full-knowledge test • Provides pen tester with network diagram, policies and procedures, and sometimes results from previous pen testers • Partial-knowledge test
Penetration Tester Tools and Methodology • Metasploit (open source) • Core Impact and Immunity Canvas (closed source) • Methodology
Assuring Confidentiality, Data Integrity, and System Integrity • Pen testers must ensure confidentiality of data they access • Report should be treated as confidential
Vulnerability Testing • Also called Vulnerability Scanning • Uses a tool like Nessus or OpenVAS • Finds vulnerabilities • Requires manual verification and assessment • Must be matched to real threats to find true risk
Security Audit • Tests against a public standard • Such as PCI-DSS (Payment Card Industry Data Security Standard)
Security Assessment • View many controls across multiple domains • Policies and procedures • Administrative controls • Change management • Other tests (pen tests, vuln assessments, security audits)
Internal and Third Party Audits • Internal audits • Assessing adherence to policy • External audits • Require security professionals to play a role • Response and remediation to audit findings • Demonstrating mitigations
Log Reviews • Easiest way to verify that access control mechanisms are working
Centralized Logging • A central repository allows for more scalable security monitoring and intrusion detection • Syslog transmits log data in plaintext over UDP port 514 • Log retention • May be relevant to legal or regulatory compliance
Software Testing Methods
Software Testing Methods • Discovering programmer errors • Custom apps don't have a vendor providing security patches • Source code review helps • Two general approaches: • Static and dynamic analysis • Also manual code review • Pair programming is employed in agile programming shops
Static and Dynamic Testing • Static testing: the code is not running • Review source code for insecure practices, unsafe functions, etc. • Unix program lint • Compiler warnings • Dynamic testing: while code is executing • White box testing: tester has source code • Black box: tester has no internal details
Traceability Matrix • Maps customer requirements to software testing plan
Synthetic Transactions • Simulating business activities • Often used for Web apps
Software Testing Levels • Unit testing • Tests components like functions, procedures, or objects • Installation testing • Tests software as it is installed and first operated • Integration Testing • Testing multiple software components as they are combined into a working system
Software Testing Levels • Regression testing • Testing softare after updates, modification, or patches • Acceptance testing • Testing to ensure the software meets the customer's requirements • When done by customer, called User Acceptance Testing
Fuzzing • A type of black box testing • Sends random malformed data into software programs • To find crashes • A type of dynamic testing • Has found many flaws
Combinatorial Software Testing • Seeks to identify and test all unique combinations of software inputs • Pairwise testing (also called all pairs testing)
Misuse Case Testing • Formally model an adversary misusing the application • A more formal and commonly recognized way to consider negative security outcomes is threat modeling • Microsoft highlights it in their Security Development Lifecycle (SDL)
Test Coverage Analysis • Identifies the degree to which code testing applies to the entire application • To ensure that there are no significant gaps
Analyze and Report Test Outputs • Security test results are easy to produce • Actually improving security is much more difficult • Data must be analyzed to determine what action to take
6. Security Assessment and Testing

Recommended

CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
Sam Bowne
 
Domain 6 - Security Assessment and Testing
Domain 6 - Security Assessment and TestingDomain 6 - Security Assessment and Testing
Domain 6 - Security Assessment and Testing
Maganathin Veeraragaloo
 
CISSP - Security Assessment
CISSP - Security AssessmentCISSP - Security Assessment
CISSP - Security Assessment
Karthikeyan Dhayalan
 
Chapter 1 Security Framework
Chapter 1 Security FrameworkChapter 1 Security Framework
Chapter 1 Security Framework
Karthikeyan Dhayalan
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
Michael Nickle
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk Management
Hamed Moghaddam
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics
Mohammed Adam
 

Recommended

CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
Sam Bowne
 
Domain 6 - Security Assessment and Testing
Domain 6 - Security Assessment and TestingDomain 6 - Security Assessment and Testing
Domain 6 - Security Assessment and Testing
Maganathin Veeraragaloo
 
CISSP - Security Assessment
CISSP - Security AssessmentCISSP - Security Assessment
CISSP - Security Assessment
Karthikeyan Dhayalan
 
Chapter 1 Security Framework
Chapter 1 Security FrameworkChapter 1 Security Framework
Chapter 1 Security Framework
Karthikeyan Dhayalan
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
Michael Nickle
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk Management
Hamed Moghaddam
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics
Mohammed Adam
 
Cyber Security Maturity Assessment
Cyber Security Maturity Assessment Cyber Security Maturity Assessment
Cyber Security Maturity Assessment
Doreen Loeber
 
Understanding cyber resilience
Understanding cyber resilienceUnderstanding cyber resilience
Understanding cyber resilience
Christophe Foulon, CISSP
 
CISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsCISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security Operations
Karthikeyan Dhayalan
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
asherad
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
Dam Frank
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
Narudom Roongsiriwong, CISSP
 
The Six Stages of Incident Response
The Six Stages of Incident Response The Six Stages of Incident Response
The Six Stages of Incident Response
Darren Pauli
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
Priyanka Aash
 
CISSP Prep: Ch 4. Security Engineering (Part 1)
CISSP Prep: Ch 4. Security Engineering (Part 1)CISSP Prep: Ch 4. Security Engineering (Part 1)
CISSP Prep: Ch 4. Security Engineering (Part 1)
Sam Bowne
 
VAPT Services by prime
VAPT Services by primeVAPT Services by prime
VAPT Services by prime
Prime Infoserv
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
The Open Group SA
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityCISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset Security
Karthikeyan Dhayalan
 
Azure sentinel
Azure sentinelAzure sentinel
Azure sentinel
Marius Sandbu
 
Implementing Vulnerability Management
Implementing Vulnerability Management Implementing Vulnerability Management
Implementing Vulnerability Management
Argyle Executive Forum
 
Operational Security
Operational SecurityOperational Security
Operational Security
Splunk
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability Management
Marcelo Martins
 
2 Security Architecture+Design
2 Security Architecture+Design2 Security Architecture+Design
2 Security Architecture+Design
Alfred Ouyang
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
Sam Bowne
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security Blueprint
Zefren Edior
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
testing strategies and tactics
testing strategies and tactics testing strategies and tactics
testing strategies and tactics
Preeti Mishra
 

More Related Content

What's hot

Implementing Vulnerability Management
Implementing Vulnerability Management Implementing Vulnerability Management
Implementing Vulnerability Management
Argyle Executive Forum
 

What's hot (20)

Cyber Security Maturity Assessment
Cyber Security Maturity Assessment Cyber Security Maturity Assessment
Cyber Security Maturity Assessment
 
Understanding cyber resilience
Understanding cyber resilienceUnderstanding cyber resilience
Understanding cyber resilience
 
CISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsCISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security Operations
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
 
The Six Stages of Incident Response
The Six Stages of Incident Response The Six Stages of Incident Response
The Six Stages of Incident Response
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
CISSP Prep: Ch 4. Security Engineering (Part 1)
CISSP Prep: Ch 4. Security Engineering (Part 1)CISSP Prep: Ch 4. Security Engineering (Part 1)
CISSP Prep: Ch 4. Security Engineering (Part 1)
 
VAPT Services by prime
VAPT Services by primeVAPT Services by prime
VAPT Services by prime
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityCISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset Security
 
Azure sentinel
Azure sentinelAzure sentinel
Azure sentinel
 
Implementing Vulnerability Management
Implementing Vulnerability Management Implementing Vulnerability Management
Implementing Vulnerability Management
 
Operational Security
Operational SecurityOperational Security
Operational Security
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability Management
 
2 Security Architecture+Design
2 Security Architecture+Design2 Security Architecture+Design
2 Security Architecture+Design
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security Blueprint
 

Similar to 6. Security Assessment and Testing

AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
SQA_Unit 3.pdf it is a database education
SQA_Unit 3.pdf it is a database educationSQA_Unit 3.pdf it is a database education
SQA_Unit 3.pdf it is a database education
RAVALCHIRAG1
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Software testing methods, levels and types
Software testing methods, levels and typesSoftware testing methods, levels and types
Software testing methods, levels and types
Confiz
 

Similar to 6. Security Assessment and Testing (20)

AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
testing strategies and tactics
testing strategies and tactics testing strategies and tactics
testing strategies and tactics
 
SQA_Unit 3.pdf it is a database education
SQA_Unit 3.pdf it is a database educationSQA_Unit 3.pdf it is a database education
SQA_Unit 3.pdf it is a database education
 
penetration testing
penetration testingpenetration testing
penetration testing
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Manual Testing Types Used in Software Testing
Manual Testing Types Used in Software TestingManual Testing Types Used in Software Testing
Manual Testing Types Used in Software Testing
 
Software testing-and-analysis
Software testing-and-analysisSoftware testing-and-analysis
Software testing-and-analysis
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions Today
 
Software testing
Software testingSoftware testing
Software testing
 
Software Quality
Software Quality Software Quality
Software Quality
 
Software testing methods, levels and types
Software testing methods, levels and typesSoftware testing methods, levels and types
Software testing methods, levels and types
 
Security testing
Security testingSecurity testing
Security testing
 
Pm 6 testing
Pm 6 testingPm 6 testing
Pm 6 testing
 
Pm 6 testing
Pm 6 testingPm 6 testing
Pm 6 testing
 
SENG202-v-and-v-modeling_121810.pptx
SENG202-v-and-v-modeling_121810.pptxSENG202-v-and-v-modeling_121810.pptx
SENG202-v-and-v-modeling_121810.pptx
 
What is penetration testing
What is penetration testingWhat is penetration testing
What is penetration testing
 
Software Quality Assurance
Software Quality AssuranceSoftware Quality Assurance
Software Quality Assurance
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauro
 
Software Engineering (Software Quality Assurance & Testing: Supplementary Mat...
Software Engineering (Software Quality Assurance & Testing: Supplementary Mat...Software Engineering (Software Quality Assurance & Testing: Supplementary Mat...
Software Engineering (Software Quality Assurance & Testing: Supplementary Mat...
 
CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)
 

More from Sam Bowne

More from Sam Bowne (20)

Cyberwar
CyberwarCyberwar
Cyberwar
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the Application
 
3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic Curves
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-Hellman
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
 
10 RSA
10 RSA10 RSA
10 RSA
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard Problems
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis Methodology
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated Encryption
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection
 

Recently uploaded

Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
PECB
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
kauryashika82
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
ciinovamais
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
negromaestrong
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
 

Recently uploaded (20)

Asian American Pacific Islander Month DDSD 2024.pptx
Asian American Pacific Islander Month DDSD 2024.pptxAsian American Pacific Islander Month DDSD 2024.pptx
Asian American Pacific Islander Month DDSD 2024.pptx
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 

6. Security Assessment and Testing

  • 3. Penetration Testing • Authorized white hat hacker breaks into an organization
  • 4. Social Engineering • Exploiting the human mind • Often tricks the user into clicking a link • Zero-knowledge (black box) test • No information provided to attacker • Full-knowledge test • Provides pen tester with network diagram, policies and procedures, and sometimes results from previous pen testers • Partial-knowledge test
  • 5. Penetration Tester Tools and Methodology • Metasploit (open source) • Core Impact and Immunity Canvas (closed source) • Methodology
  • 6. Assuring Confidentiality, Data Integrity, and System Integrity • Pen testers must ensure confidentiality of data they access • Report should be treated as confidential
  • 7. Vulnerability Testing • Also called Vulnerability Scanning • Uses a tool like Nessus or OpenVAS • Finds vulnerabilities • Requires manual verification and assessment • Must be matched to real threats to find true risk
  • 8. Security Audit • Tests against a public standard • Such as PCI-DSS (Payment Card Industry Data Security Standard)
  • 9. Security Assessment • View many controls across multiple domains • Policies and procedures • Administrative controls • Change management • Other tests (pen tests, vuln assessments, security audits)
  • 10. Internal and Third Party Audits • Internal audits • Assessing adherence to policy • External audits • Require security professionals to play a role • Response and remediation to audit findings • Demonstrating mitigations
  • 11. Log Reviews • Easiest way to verify that access control mechanisms are working
  • 12. Centralized Logging • A central repository allows for more scalable security monitoring and intrusion detection • Syslog transmits log data in plaintext over UDP port 514 • Log retention • May be relevant to legal or regulatory compliance
  • 14. Software Testing Methods • Discovering programmer errors • Custom apps don't have a vendor providing security patches • Source code review helps • Two general approaches: • Static and dynamic analysis • Also manual code review • Pair programming is employed in agile programming shops
  • 15. Static and Dynamic Testing • Static testing: the code is not running • Review source code for insecure practices, unsafe functions, etc. • Unix program lint • Compiler warnings • Dynamic testing: while code is executing • White box testing: tester has source code • Black box: tester has no internal details
  • 16. Traceability Matrix • Maps customer requirements to software testing plan
  • 17. Synthetic Transactions • Simulating business activities • Often used for Web apps
  • 18. Software Testing Levels • Unit testing • Tests components like functions, procedures, or objects • Installation testing • Tests software as it is installed and first operated • Integration Testing • Testing multiple software components as they are combined into a working system
  • 19. Software Testing Levels • Regression testing • Testing softare after updates, modification, or patches • Acceptance testing • Testing to ensure the software meets the customer's requirements • When done by customer, called User Acceptance Testing
  • 20. Fuzzing • A type of black box testing • Sends random malformed data into software programs • To find crashes • A type of dynamic testing • Has found many flaws
  • 21. Combinatorial Software Testing • Seeks to identify and test all unique combinations of software inputs • Pairwise testing (also called all pairs testing)
  • 22. Misuse Case Testing • Formally model an adversary misusing the application • A more formal and commonly recognized way to consider negative security outcomes is threat modeling • Microsoft highlights it in their Security Development Lifecycle (SDL)
  • 23. Test Coverage Analysis • Identifies the degree to which code testing applies to the entire application • To ensure that there are no significant gaps
  • 24. Analyze and Report Test Outputs • Security test results are easy to produce • Actually improving security is much more difficult • Data must be analyzed to determine what action to take