Security Testing
Verify that a control is functioning properly. These tests include automated scans, tool-assisted penetration tests and manual attempts to undermine security. Security testing should take place on a regular schedule, with attention paid to each of the key
Security Assessments
Are comprehensive reviews of the security of a system, application, or other tested environment. During a security assessment, a trained information security
professional performs a risk assessment that identifies vulnerabilities in the tested environment
Security Audits
Use many of the same techniques followed during security assessments but must be performed by independent auditors. While an organization's security staff
may routinely perform security tests and assessments, this is not the case for audits. Assessment an
Internal Audits
Are performed by an organization's internal audit staff and are typically intended for internal audiences. The internal audit staff performing these audits normally have a reporting line that is completely independent of the functions they evaluate. In ma
External audits
are performed by an outside auditing firm. These audits have a high degree of external validity because the auditors performing the assessment theoretically have no conflict of interest with the organization itself.
Vulnerability Assessments
Vulnerability assessments are some of the most important testing tools in the information security professional's toolkit. Vulnerability scans and penetration tests provide security professionals with a perspective on the weaknesses in a system or applica
Vulnerability Scans
automatically probe systems, applications, and networks, looking for weaknesses that may be exploited by an attacker. The scanning tools used in these tests provide quick, point-and-click tests that perform otherwise tedious tasks without requiring manual
Three Main Categories of Vulnerability Scans
network discovery scans, network
vulnerability scans, and web application vulnerability scan.
Network Discovery Scanning
Uses a variety of techniques to scan a range of IP addresses, searching for systems with open network ports. Network discovery scanners do not
actually probe systems for vulnerabilities but provide a report showing the systems detected on a network and th
TCP SYN Scanning
Type of Network Discovery Scanning. Sends a single packet to each scanned port with the SYN flag set. This indicates a request to open a new connection. If the scanner receives a response thathas the SYN and ACK flags set, this indicates that the system i
TCP Connect Scanning
Type of Network Discovery Scanning. Opens a full connection to the remote system on the specified port. This scan type is used when the user running the scan does not have the necessary permissions to run a half-open scan.
TCP ACK Scanning
Type of Network Discovery Scanning. Sends a packet with the ACK flag set, indicating that it is part of an open connection.
Xmas Scanning
Type of Network Discovery Scanning. Sends a packet with the FIN, PSH, and URG flags set. A packet with so many flags set is said to be "lit up like a Christmas tree," leading to the scan's name.
For ports where nmap detects a result, it provides the current status of that port
Open - The port is open on the remote system and there is an application that is actively accepting connections on that port.
Closed - The port is accessible on the remote system, meaning that the firewall is allowing access, but there is no application a
Network Vulnerability Scanning
Go deeper than discovery scans. They don't stop with
detecting open ports but continue on to probe a targeted system or network for the presence of known vulnerabilities. These tools contain databases of thousands of known vulnerabilities, along with test
Web Vulnerability Scanning
Are special-purpose tools that scour web applications for known vulnerabilities. They play an important role in any security testing program because they may discover flaws not visible to network vulnerability scanners. Network vulnerability scans general
Penetration Testing
Goes beyond vulnerability testing techniques because it actually attempts to exploit systems. When performing a penetration test, the security professional typically targets a single system or set of systems and uses many different
techniques to gain acce
White Box Penetration Test (Full Knowledge)
Provides the attackers with detailed information about
the systems they target. This bypasses many of the reconnaissance steps that normally precede attacks, shortening the time of the attack and increasing the likelihood that it will find security flaws.
Gray Box Penetration Test (Partial Knowledge)
Also known as partial knowledge tests, these are sometimes chosen to balance the advantages and disadvantages of white and black box penetration tests. This is particularly common when black box results are desired but costs or time constraints mean that
Black Box Penetration Test (Zero Knowledge)
Does not provide attackers with any information prior to the attack. This simulates an external attacker trying to gain access to information about the business and technical environment before engaging in an attack.
Requirements for Penetration Testing
Senior Management must proivde the goal and approval of the assessment
Documentation of the rules of engagement
Purpose of Penetration Testing
Determine subject's abilitiy to withstand an attack and determine effectiveness of current security measures.
Testing and Reporting
Tester should not be the one suggesting remediation, they are only finding and exploiting vulns.
IDS Requirement
Needs an interface in "Promiscuous" Mode. Meaning the network card can capture all traffic. Also, the port on the switch must be in port span or port mirroring mode so it can receive all traffic from the switch.
Advantage of HIDS
Can evaluate data after its been decrypted. When its traveling across the network and encrypted, a NIDS cannot read encrypted traffic.
IDS Analysis Engines
Signature Based (Pattern matching) - Looking for matches to signatures. Must keep updated. Not successful against 0-day attacks.
Anomaly/Behavior/Heuristics (Profile Matching) - Looks for changes in normal behavior. Can have lots of false positives.
Software Security
Important because:
Software applications often have privileged access to the operating system, hardware, and other resources.
Software applications routinely handle sensitive information, including credit card numbers, Social Security Numbers, and proprie
Code Review
One of the most critical components of a software testing program. Is the foundation of software assessment programs. During a code review, also known as a "peer review," developers other than the one who wrote the code review it for defects.
Fagan inspections
The most formal code review process. Contains 6 steps:
1. Planning
2. Overview
3. Preparation
4. Inspection
5. Rework
6. Follow-up
Most organizations use less rigorous processes using code peer review measures
Peer Code Review Measures
Developers walking through their code in a meeting with one or more other team members
A senior developer performing manual code review and signing off on all code before moving to production
Use of automated review tools to detect common application flaw
Static Testing
Evaluates the security of software without running it by analyzing either the source code or the compiled application. Static analysis usually involves the use of
automated tools designed to detect common software flaws, such as buffer overflows. In matur
Dynamic Testing
Evaluates the security of software in a runtime environment and is often the only option for organizations deploying applications written by someone else. In those cases, testers often do not have access to the underlying source code. One common example o
Synthetic Transactions
These are scripted transactions with known expected results. The testers run the synthetic transactions against the tested code and then compare the output of the
transactions to the expected state. Any deviations between the actual and expected results r
Fuzz Testing
Is a specialized dynamic testing technique that provides many different types of input to software to stress its limits and find previously undetected flaws. Fuzz testing
software supplies invalid input to the software, either randomly generated or specia
Mutation (Dumb) Fuzzing
Takes previous input values from actual operation of the
software and manipulates (or mutates) it to create fuzzed input. It might alter the characters of the content, append strings to the end of the content, or perform other data
manipulation techniques
Generational (Intelligent) Fuzzing
Develops data models and creates new fuzzed input based on an understanding of the types of data used by the program.
Interface Testing
Is an important part of the development of complex software systems. In many cases, multiple teams of developers work on different parts of a complex
application that must function together to meet business objectives. The handoffs between these separatel
Application Programming Interfaces (APIs)
Interface that should be tested. Offer a standardized way for code modules to interact and may be exposed to the outside world through web services. Developers must test APIs to ensure that they enforce all security requirements.
User Interfaces (UIs)
Interface that should be tested. Examples include graphic user interfaces (GUIs) and command-line interfaces. UIs provide end users with the ability to interact with the
software. Interface tests should include reviews of all user interfaces to verify tha
Physical Interfaces
Interface that should be tested. Exist in some applications that manipulate machinery, logic controllers, or other objects in the physical world. Software testers should pay careful attention to physical interfaces because of the potential consequences if
Misuse Case Testing or Abuse Case Testing
For example, users of banking software might try to
manipulate input strings to gain access to another user's account. They might also try to withdraw funds from an account that is already overdrawn.
Misuse case testing or abuse case testing is used to ev
Test Coverage Analysis
Used to estimate the degree of testing conducted against the new software.
Account Management
Account management reviews ensure that users only retain authorized permissions and that unauthorized modifications do not occur. Account management reviews may be a
function of information security management personnel or internal auditors.
One way to pe
Key Performance and Risk Indicators
The exact metrics they monitor will vary from organization to organization but may include the following:
Number of open vulnerabilities
Time to resolve vulnerabilities
Number of compromised accounts
Number of software flaws detected in preproduction scan