SlideShare a Scribd company logo

CISSP Prep: Ch 7. Security Assessment and Testing

Sam Bowne, profile picture
Sam Bowne

The document discusses various methods for assessing security controls and testing systems, including penetration testing, social engineering, vulnerability testing, security audits, and software testing methods. It covers topics like penetration testing tools and methodology, assuring data confidentiality, different types of audits and reviews, and levels of software testing from unit to acceptance. Static and dynamic analysis are introduced as approaches to software security testing.

Education
1 of 24
Downloaded 299 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
CNIT 125: Information Security Professional (CISSP Preparation) Ch 7. Security Assessment and Testing
Assessing Access Control
Penetration Testing • Authorized white hat hacker breaks into an organization
Social Engineering • Exploiting the human mind • Often tricks the user into clicking a link • Zero-knowledge (black box) test • No information provided to attacker • Full-knowledge test • Provides pen tester with network diagram, policies and procedures, and sometimes results from previous pen testers • Partial-knowledge test
Penetration Tester Tools and Methodology • Metasploit (open source) • Core Impact and Immunity Canvas (closed source) • Methodology
Assuring Confidentiality, Data Integrity, and System Integrity • Pen testers must ensure confidentiality of data they access • Report should be treated as confidential
Vulnerability Testing • Also called Vulnerability Scanning • Uses a tool like Nessus or OpenVAS • Finds vulnerabilities • Requires manual verification and assessment • Must be matched to real threats to find true risk
Security Audit • Tests against a public standard • Such as PCI-DSS (Payment Card Industry Data Security Standard)
Security Assessment • View many controls across multiple domains • Policies and procedures • Administrative controls • Change management • Other tests (pen tests, vuln assessments, security audits)
Internal and Third Party Audits • Internal audits • Assessing adherence to policy • External audits • Require security professionals to play a role • Response and remediation to audit findings • Demonstrating mitigations
Log Reviews • Easiest way to verify that access control mechanisms are working
Centralized Logging • A central repository allows for more scalable security monitoring and intrusion detection • Syslog transmits log data in plaintext over UDP port 514 • Log retention • May be relevant to legal or regulatory compliance
Software Testing Methods
Software Testing Methoda • Discovering programmer errors • Custom apps don't have a vendor providing security patches • Source code review helps • Two general approaches: • Static and dynamic analysis • Also manual code review • Pair programming is employed in agile programming shops
Static and Dynamic Testing • Static testing: the code is not running • Review source code for insecure practices, unsafe functions, etc. • Unix program lint • Compiler warnings • Dynamic testing: while code is executing • White box testing: tester has source code • Black box: tester has no internal details
Traceability Matrix • Maps customer requirements to software testing plan
Synthetic Transactions • Simulating business activities • Often used for Web apps
Software Testing Levels • Unit testing • Tests components like functions, procedures, or objects • Installation testing • Tests software as it is installed and first operated • Integration Testing • Testing multiple software components as they are combined into a working system
Software Testing Levels • Regression testing • Testing softare after updates, modification, or patches • Acceptance testing • Testing to ensure the software meets the customer's requirements • When done by customer, called User Acceptance Testing
Fuzzing • A type of black box testing • Sends random malformed data into software programs • To find crashes • A type of dynamic testing • Has found many flaws
Combinatorial Software Testing • Seeks to identify and test all unique combinations of software inputs • Pairwise testing (also called all pairs testing)
Misuse Case Testing • Formally model an adversary misusing the application • A more formal and commonly recognized way to consider negative security outcomes is threat modeling • Microsoft highlights it in their Security Development Lifecycle (SDL)
Test Coverage Analysis • Identifies the degree to which code testing applies to the entire application • To ensure that there are no significant gaps
Analyze and Report Test Outputs • Security test results are easy to produce • Actually improving security is much more difficult • Data must be analyzed to determine what action to take

More Related Content

PPTX
Threat Hunting - Moving from the ad hoc to the formal
Priyanka Aash
 
PPTX
CISSP - Security Assessment
Karthikeyan Dhayalan
 
PPTX
VAPT - Vulnerability Assessment & Penetration Testing
Netpluz Asia Pte Ltd
 
PPT
Info Security - Vulnerability Assessment
Marcelo Silva
 
PPTX
Chapter 5 - Identity Management
Karthikeyan Dhayalan
 
PDF
Nessus Software
Megha Sahu
 
PDF
Network Architecture Review Checklist
Eberly Wilson
 
PPTX
INFORMATION SECURITY
Ahmed Moussa
 
Threat Hunting - Moving from the ad hoc to the formal
Priyanka Aash
 
CISSP - Security Assessment
Karthikeyan Dhayalan
 
VAPT - Vulnerability Assessment & Penetration Testing
Netpluz Asia Pte Ltd
 
Info Security - Vulnerability Assessment
Marcelo Silva
 
Chapter 5 - Identity Management
Karthikeyan Dhayalan
 
Nessus Software
Megha Sahu
 
Network Architecture Review Checklist
Eberly Wilson
 
INFORMATION SECURITY
Ahmed Moussa
 

What's hot (20)

PDF
How to Hunt for Lateral Movement on Your Network
Sqrrl
 
PDF
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Websecurify
 
PPTX
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
PPTX
Chapter 1 Security Framework
Karthikeyan Dhayalan
 
PPTX
OpenVAS
svm
 
PPTX
IBM Security QRadar
Virginia Fernandez
 
PPTX
CISSP - Software Development Security
Karthikeyan Dhayalan
 
PPTX
What is Penetration Testing?
btpsec
 
PDF
Vulnerability and Patch Management
n|u - The Open Security Community
 
PDF
Cyber security and demonstration of security tools
Vicky Fernandes
 
PPT
Malware Analysis Made Simple
Paul Melson
 
PPT
Application Security
Reggie Niccolo Santos
 
PDF
Threat Modeling Using STRIDE
Girindro Pringgo Digdo
 
PDF
Data Privacy & Security
Eryk Budi Pratama
 
PDF
INCIDENT RESPONSE NIST IMPLEMENTATION
Sylvain Martinez
 
PPTX
Security testing
Khizra Sammad
 
PPTX
Ethical Hacking n VAPT presentation by Suvrat jain
Suvrat Jain
 
PPTX
System hardening - OS and Application
edavid2685
 
DOCX
Requirement for creating a Penetration Testing Lab
Syed Ubaid Ali Jafri
 
PPTX
Basic Dynamic Analysis of Malware
Natraj G
 
How to Hunt for Lateral Movement on Your Network
Sqrrl
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Websecurify
 
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
Chapter 1 Security Framework
Karthikeyan Dhayalan
 
OpenVAS
svm
 
IBM Security QRadar
Virginia Fernandez
 
CISSP - Software Development Security
Karthikeyan Dhayalan
 
What is Penetration Testing?
btpsec
 
Vulnerability and Patch Management
n|u - The Open Security Community
 
Cyber security and demonstration of security tools
Vicky Fernandes
 
Malware Analysis Made Simple
Paul Melson
 
Application Security
Reggie Niccolo Santos
 
Threat Modeling Using STRIDE
Girindro Pringgo Digdo
 
Data Privacy & Security
Eryk Budi Pratama
 
INCIDENT RESPONSE NIST IMPLEMENTATION
Sylvain Martinez
 
Security testing
Khizra Sammad
 
Ethical Hacking n VAPT presentation by Suvrat jain
Suvrat Jain
 
System hardening - OS and Application
edavid2685
 
Requirement for creating a Penetration Testing Lab
Syed Ubaid Ali Jafri
 
Basic Dynamic Analysis of Malware
Natraj G
 
Ad

Viewers also liked (20)

PDF
CISSP Prep: Ch 4. Security Engineering (Part 1)
Sam Bowne
 
PDF
CISSP Prep: Ch 3. Asset Security
Sam Bowne
 
PDF
CISSP Prep: Ch 9. Software Development Security
Sam Bowne
 
PDF
CISSP Prep: Ch 6. Identity and Access Management
Sam Bowne
 
PDF
CISSP Prep: Ch 2. Security and Risk Management I (part 2)
Sam Bowne
 
PDF
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
Sam Bowne
 
PDF
CISSP Prep: Ch 8. Security Operations
Sam Bowne
 
PDF
CISSP Prep: Ch 4. Security Engineering (Part 2)
Sam Bowne
 
PDF
CISSP Prep: Ch 5. Communication and Network Security (Part 1)
Sam Bowne
 
PDF
CISSP Prep: Ch 5. Communication and Network Security (Part 2)
Sam Bowne
 
PPTX
CISSP Certification-Asset Security
Hamed Moghaddam
 
PDF
CNIT 127: Ch 8: Windows overflows (Part 2)
Sam Bowne
 
PDF
CNIT 140: Perimeter Security
Sam Bowne
 
PDF
CNIT 123: Ch 1 Ethical Hacking Overview
Sam Bowne
 
PDF
CNIT 126 5: IDA Pro
Sam Bowne
 
PDF
CNIT 128 Ch 6: Mobile services and mobile Web (part 2: SAML to end)
Sam Bowne
 
PPTX
Cissp- Security and Risk Management
Hamed Moghaddam
 
PDF
Slide Deck CISSP Class Session 6
FRSecure
 
PDF
Slide Deck - CISSP Mentor Program Class Session 1
FRSecure
 
PPT
4.Security Assessment And Testing
phanleson
 
CISSP Prep: Ch 4. Security Engineering (Part 1)
Sam Bowne
 
CISSP Prep: Ch 3. Asset Security
Sam Bowne
 
CISSP Prep: Ch 9. Software Development Security
Sam Bowne
 
CISSP Prep: Ch 6. Identity and Access Management
Sam Bowne
 
CISSP Prep: Ch 2. Security and Risk Management I (part 2)
Sam Bowne
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
Sam Bowne
 
CISSP Prep: Ch 8. Security Operations
Sam Bowne
 
CISSP Prep: Ch 4. Security Engineering (Part 2)
Sam Bowne
 
CISSP Prep: Ch 5. Communication and Network Security (Part 1)
Sam Bowne
 
CISSP Prep: Ch 5. Communication and Network Security (Part 2)
Sam Bowne
 
CISSP Certification-Asset Security
Hamed Moghaddam
 
CNIT 127: Ch 8: Windows overflows (Part 2)
Sam Bowne
 
CNIT 140: Perimeter Security
Sam Bowne
 
CNIT 123: Ch 1 Ethical Hacking Overview
Sam Bowne
 
CNIT 126 5: IDA Pro
Sam Bowne
 
CNIT 128 Ch 6: Mobile services and mobile Web (part 2: SAML to end)
Sam Bowne
 
Cissp- Security and Risk Management
Hamed Moghaddam
 
Slide Deck CISSP Class Session 6
FRSecure
 
Slide Deck - CISSP Mentor Program Class Session 1
FRSecure
 
4.Security Assessment And Testing
phanleson
 
Ad

Similar to CISSP Prep: Ch 7. Security Assessment and Testing (20)

PPT
testing strategies and tactics
Preeti Mishra
 
PDF
AppSec in an Agile World
David Lindner
 
PDF
penetration testing
Shitesh Sachan
 
PDF
SQA_Unit 3.pdf it is a database education
RAVALCHIRAG1
 
PDF
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
PPTX
Manual Testing Types Used in Software Testing
seojayeshts
 
PPTX
Software Engg - Wk 11 - Lec 12 - Software_Testing Part-1.pptx
241579
 
PDF
Top Security Challenges Facing Credit Unions Today
Chris Gates
 
PPT
Software testing-and-analysis
WBUTTUTORIALS
 
PPT
System Testing by system analysis design.ppt
ekhon247
 
PPTX
Software testing
nidhip216
 
PPT
Software Quality
Danial Mirza
 
PPTX
What is penetration testing
sakshisoni076
 
PDF
Software testing methods, levels and types
Confiz
 
PPTX
Security testing
Rihab Chebbah
 
PDF
Pm 6 testing
Radiant Minds
 
PDF
Pm 6 testing
Radiant Minds
 
PPTX
SENG202-v-and-v-modeling_121810.pptx
MinsasWorld
 
PPTX
Software Quality Assurance
Saqib Raza
 
PDF
manualtesting-170218090020 (1).pdf
peramdevi06
 
testing strategies and tactics
Preeti Mishra
 
AppSec in an Agile World
David Lindner
 
penetration testing
Shitesh Sachan
 
SQA_Unit 3.pdf it is a database education
RAVALCHIRAG1
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Manual Testing Types Used in Software Testing
seojayeshts
 
Software Engg - Wk 11 - Lec 12 - Software_Testing Part-1.pptx
241579
 
Top Security Challenges Facing Credit Unions Today
Chris Gates
 
Software testing-and-analysis
WBUTTUTORIALS
 
System Testing by system analysis design.ppt
ekhon247
 
Software testing
nidhip216
 
Software Quality
Danial Mirza
 
What is penetration testing
sakshisoni076
 
Software testing methods, levels and types
Confiz
 
Security testing
Rihab Chebbah
 
Pm 6 testing
Radiant Minds
 
Pm 6 testing
Radiant Minds
 
SENG202-v-and-v-modeling_121810.pptx
MinsasWorld
 
Software Quality Assurance
Saqib Raza
 
manualtesting-170218090020 (1).pdf
peramdevi06
 

More from Sam Bowne (20)

PDF
Introduction to the Class & CISSP Certification
Sam Bowne
 
PDF
Cyberwar
Sam Bowne
 
PDF
3: DNS vulnerabilities
Sam Bowne
 
PDF
8. Software Development Security
Sam Bowne
 
PDF
4 Mapping the Application
Sam Bowne
 
PDF
3. Attacking iOS Applications (Part 2)
Sam Bowne
 
PDF
12 Elliptic Curves
Sam Bowne
 
PDF
11. Diffie-Hellman
Sam Bowne
 
PDF
2a Analyzing iOS Apps Part 1
Sam Bowne
 
PDF
9 Writing Secure Android Applications
Sam Bowne
 
PDF
12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
PDF
10 RSA
Sam Bowne
 
PDF
12 Investigating Windows Systems (Part 1 of 3
Sam Bowne
 
PDF
9. Hard Problems
Sam Bowne
 
PDF
8 Android Implementation Issues (Part 1)
Sam Bowne
 
PDF
11 Analysis Methodology
Sam Bowne
 
PDF
8. Authenticated Encryption
Sam Bowne
 
PDF
7. Attacking Android Applications (Part 2)
Sam Bowne
 
PDF
7. Attacking Android Applications (Part 1)
Sam Bowne
 
PDF
5. Stream Ciphers
Sam Bowne
 
Introduction to the Class & CISSP Certification
Sam Bowne
 
Cyberwar
Sam Bowne
 
3: DNS vulnerabilities
Sam Bowne
 
8. Software Development Security
Sam Bowne
 
4 Mapping the Application
Sam Bowne
 
3. Attacking iOS Applications (Part 2)
Sam Bowne
 
12 Elliptic Curves
Sam Bowne
 
11. Diffie-Hellman
Sam Bowne
 
2a Analyzing iOS Apps Part 1
Sam Bowne
 
9 Writing Secure Android Applications
Sam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
10 RSA
Sam Bowne
 
12 Investigating Windows Systems (Part 1 of 3
Sam Bowne
 
9. Hard Problems
Sam Bowne
 
8 Android Implementation Issues (Part 1)
Sam Bowne
 
11 Analysis Methodology
Sam Bowne
 
8. Authenticated Encryption
Sam Bowne
 
7. Attacking Android Applications (Part 2)
Sam Bowne
 
7. Attacking Android Applications (Part 1)
Sam Bowne
 
5. Stream Ciphers
Sam Bowne
 

Recently uploaded (20)

PPTX
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
PPTX
The Healthy Child – Unit II | Child Health Nursing I | B.Sc Nursing 5th Semester
RAKESH SAJJAN
 
PPTX
Week 4 Term 3 Study Techniques revisited.pptx
mansk2
 
PDF
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
PPTX
Introduction_to_Human_Anatomy_and_Physiology_for_B.Pharm.pptx
chetansingh379583
 
PDF
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
PDF
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
PDF
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
Nguyen Thanh Tu Collection
 
PPTX
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
PDF
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
PDF
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
PDF
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
PDF
Basic Mud Logging Guide for educational purpose
wdandworks
 
PDF
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
PDF
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
PDF
Business Ethics Teaching Materials for college
CynthiaCastillo40
 
PPTX
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
PPTX
Institutional Correction lecture only . . .
limvtheghins
 
PPTX
Pharma ospi slides which help in ospi learning
rameetkumar304
 
PDF
Pre independence Education in Inndia.pdf
goofy5603
 
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
The Healthy Child – Unit II | Child Health Nursing I | B.Sc Nursing 5th Semester
RAKESH SAJJAN
 
Week 4 Term 3 Study Techniques revisited.pptx
mansk2
 
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
Introduction_to_Human_Anatomy_and_Physiology_for_B.Pharm.pptx
chetansingh379583
 
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
Nguyen Thanh Tu Collection
 
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
Basic Mud Logging Guide for educational purpose
wdandworks
 
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
Business Ethics Teaching Materials for college
CynthiaCastillo40
 
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
Institutional Correction lecture only . . .
limvtheghins
 
Pharma ospi slides which help in ospi learning
rameetkumar304
 
Pre independence Education in Inndia.pdf
goofy5603
 

CISSP Prep: Ch 7. Security Assessment and Testing

  • 3. Penetration Testing • Authorized white hat hacker breaks into an organization
  • 4. Social Engineering • Exploiting the human mind • Often tricks the user into clicking a link • Zero-knowledge (black box) test • No information provided to attacker • Full-knowledge test • Provides pen tester with network diagram, policies and procedures, and sometimes results from previous pen testers • Partial-knowledge test
  • 5. Penetration Tester Tools and Methodology • Metasploit (open source) • Core Impact and Immunity Canvas (closed source) • Methodology
  • 6. Assuring Confidentiality, Data Integrity, and System Integrity • Pen testers must ensure confidentiality of data they access • Report should be treated as confidential
  • 7. Vulnerability Testing • Also called Vulnerability Scanning • Uses a tool like Nessus or OpenVAS • Finds vulnerabilities • Requires manual verification and assessment • Must be matched to real threats to find true risk
  • 8. Security Audit • Tests against a public standard • Such as PCI-DSS (Payment Card Industry Data Security Standard)
  • 9. Security Assessment • View many controls across multiple domains • Policies and procedures • Administrative controls • Change management • Other tests (pen tests, vuln assessments, security audits)
  • 10. Internal and Third Party Audits • Internal audits • Assessing adherence to policy • External audits • Require security professionals to play a role • Response and remediation to audit findings • Demonstrating mitigations
  • 11. Log Reviews • Easiest way to verify that access control mechanisms are working
  • 12. Centralized Logging • A central repository allows for more scalable security monitoring and intrusion detection • Syslog transmits log data in plaintext over UDP port 514 • Log retention • May be relevant to legal or regulatory compliance
  • 14. Software Testing Methoda • Discovering programmer errors • Custom apps don't have a vendor providing security patches • Source code review helps • Two general approaches: • Static and dynamic analysis • Also manual code review • Pair programming is employed in agile programming shops
  • 15. Static and Dynamic Testing • Static testing: the code is not running • Review source code for insecure practices, unsafe functions, etc. • Unix program lint • Compiler warnings • Dynamic testing: while code is executing • White box testing: tester has source code • Black box: tester has no internal details
  • 16. Traceability Matrix • Maps customer requirements to software testing plan
  • 17. Synthetic Transactions • Simulating business activities • Often used for Web apps
  • 18. Software Testing Levels • Unit testing • Tests components like functions, procedures, or objects • Installation testing • Tests software as it is installed and first operated • Integration Testing • Testing multiple software components as they are combined into a working system
  • 19. Software Testing Levels • Regression testing • Testing softare after updates, modification, or patches • Acceptance testing • Testing to ensure the software meets the customer's requirements • When done by customer, called User Acceptance Testing
  • 20. Fuzzing • A type of black box testing • Sends random malformed data into software programs • To find crashes • A type of dynamic testing • Has found many flaws
  • 21. Combinatorial Software Testing • Seeks to identify and test all unique combinations of software inputs • Pairwise testing (also called all pairs testing)
  • 22. Misuse Case Testing • Formally model an adversary misusing the application • A more formal and commonly recognized way to consider negative security outcomes is threat modeling • Microsoft highlights it in their Security Development Lifecycle (SDL)
  • 23. Test Coverage Analysis • Identifies the degree to which code testing applies to the entire application • To ensure that there are no significant gaps
  • 24. Analyze and Report Test Outputs • Security test results are easy to produce • Actually improving security is much more difficult • Data must be analyzed to determine what action to take