Testing Practice
Security Testing
10/07/2013
� 10/07/2013
Training Index : Testing Practice
Public
▶ Introduction to Security Testing
▶ Need of Security Testing
▶ Security Testing – Basic Concepts
▶ Types of Security Testing
▶ Commercial and Open Source Tools
2
� 10/07/2013
Software Testing - Brief Testing Practice
Introduction To Security Testing Public
▶ Security testing is an important process in order to ensure
that the systems/applications that your organization is
using meet security policies and are free from any type
of loopholes that can cause your organization a big loss.
▶ Security Testing of any developed system (or a system
under development) is all about finding out all the potential
loopholes and weaknesses of the system, which might
result into loss/theft of highly sensitive information or
destruction of the system by an intruder/outsider.
▶ It helps in finding out all the possible vulnerabilities of
the system and help developers in fixing those problems.
▶ Security testing determines whether an application is capable of identifying
security related risks and averting possible attack(virus attack).
3
� 10/07/2013
Background & Context: Software Is A Testing Practice
Public
Black Box
Complex
Millions of lines of code
Layers of leaky abstractions
Massively interconnected
Compiled
Difficult to reverse engineer
Different on every platform
Legal Protections
No peeking
We’re not liable
4
� 10/07/2013
Need of Security Testing Testing Practice
Public
▶ Security test helps in finding out loopholes that can cause loss of important
information and allow any intruder enter into the systems.
▶ It helps in improving the current system and also helps in ensuring that the
system will work for longer time (or it will work without hassles for the
estimated time).
▶ It doesn't only include conformance of resistance of the systems your
organization uses, it also ensures that people in your organization understand
and obey security policies. Hence adding up to the organization-wide security.
▶ If involved right from the first phase of system development life cycle, it can
help in eliminating the flaws into design and implementation of the system and
in turn help the organization in blocking the potential security loopholes in the
earlier stage. This is beneficial to the organization almost in all aspects
(financially, security and even efforts point of view).
5
� 10/07/2013
Need of Security Testing Testing Practice
Public
▶ In the cloud-enabled, highly networked
world of modern computing, security is
one of the most important facets of
proper software engineering.
▶ The most important thing to
understand about security is that it is
not a bullet point item. We cannot bolt it on at the end of the development
process.
▶ One must consciously design security
into your app or service from the very
beginning, and make it a conscious
part of the entire process from design
through implementation, testing, and release.
6
� 10/07/2013
Security Testing : Basic concepts Testing Practice
Public
In broad perspective, security testing can be divided into six basic concepts:
▶ Availability: Assuring that for any
information system which is there to serve
its purpose, should be available when needed
and these information & communications
services are available and maintained for
authorized persons when needed.
▶ Authentication: Assuring the transaction or
communication is happening between two or
more authentic parties. Assuring the validity
of any type of originator, transmission or
message. This also gives confidence that
information is received by a known and
validated source.
▶ Authorization: Assuring that an intended
individual can allow/deny access to a
system/service/operation (e.g. Access control).
7
� 10/07/2013
Security Testing : Basic Concepts Testing Practice
Public
▶ Confidentiality: Ensuring authorized person or parties only have access to the
information and prevent information disclosure to any party other than the
intended recipients. Often ensured by encoding information using algorithms
(cryptography is one of the common example of that).
▶ Integrity: A measure intended to allow the receiver to determine that the
information provided by a system is correct. Integrity schemes often use some
of the same underlying technologies as confidentiality schemes, but they usually
involve adding information to a communication, to form the basis of an
algorithmic check, rather than the encoding all of the communication.
▶ Non-repudiation: Nonrepudiation means to ensure that a transferred message
has been sent and received by the parties claiming to have sent and received
the message. Nonrepudiation is a way to guarantee that the sender of a
message cannot later deny having sent the message and that the recipient
cannot deny having received the message.
8
� 10/07/2013
Different types of Security Testing Testing Practice
Public
Different types of security testing are as follows:
▶ Security Auditing: Security Auditing includes direct inspection of the
application developed and Operating Systems and any system on which it is
being developed. This also involves code walk-through.
▶ Security Scanning: It is all about scanning and verification of the system and
applications. During security scanning, auditors inspect and try to find out the
weaknesses in the OS, applications and network(s).
▶ Vulnerability Scanning: Vulnerability scanning involves scanning of the
application for all known vulnerabilities. This scanning is generally done through
various vulnerability scanning software.
▶ Ethical Hacking: It's a forced intrusion of an external element into the system
and applications that are under Security Testing. Ethical hacking involves
number of penetration tests over the wide network on the system under test.
9
� 10/07/2013
Different types of Security Testing Testing Practice
Public
▶ Risk Assessment: Risk assessment is a method of analyzing and deciding the
risk that depends upon the type of loss and the possibility/probability of loss
occurrence. Risk assessment is carried out in the form of various interviews,
discussions and analysis of the same. It helps in finding out and preparing
possible backup-plan for any type of potential risk, hence contributing towards
the security conformance.
▶ Posture Assessment and Security Testing: This is a combination of Security
Scanning, Risk Assessment and Ethical Hacking in order to reach a conclusive
point and help your organization know its stand in context with Security.
▶ Penetration Testing: In this type of testing, a tester tries to forcibly access
and enter the application under test. In the penetration testing, a tester may try
to enter into the application/system with the help of some other application or
with the help of combinations of loopholes that the application has kept open
unknowingly. Penetration test is highly important as it is the most effective way
to practically find out potential loopholes in the application.
10
� 10/07/2013
Tool Selection Testing Practice
Public
▶ Selecting a black box test tool can be a challenging task due to the wide array
of available commercial vendors and open source projects in this area. There
are a number of high-level considerations that you should contemplate before
selecting a tool that is useful for your specific application and organization:
• test coverage and completeness
• accuracy or “false-positive” rate
• capacity and “freshness” of vulnerability database
• ability to create custom tests
• ease of use
• reporting Capabilities
• cost
11
� 10/07/2013
Few Commercial & Open Source Testing Practice
Tools - Public
▶ The following is a sample of commercially available application security black
box test tools. The list is intended to familiarize the reader with various tools on
the market and to encourage the reader to conduct independent review of
application security tool capabilities.
• Cenzic Hailstorm
• IBM (formerly Internet Security Systems) Internet Security Scanner
• NT Objectives NTOSpider
• IBM (formerly Watchfire and Santum) Appscan
• Security Innovation (Holodeck)
• HP (formerly SPI Dynamics) WebInspect, DevInspect
▶ Open Source/Freeware
The following is a brief sample list of open source and freeware application
security scanning and testing tools.
• Nikto
• Odysseus
• Paros Proxy
• SPIKE
12
� 10/07/2013
Testing Practice
Public
13
�Thank you
Atos, the Atos logo, Atos Consulting, Atos Worldline, Atos Sphere,
Atos Cloud and Atos WorldGrid
are registered trademarks of Atos SA. June 2011
© 2013 Atos. Confidential information owned by Atos, to be used by
the recipient only. This document, or any part of it, may not be
reproduced, copied, circulated and/or distributed nor quoted without
prior written approval from Atos.
10/07/2013
