Chapter 15 - Building a Security Assessment and Testing Program
3 major components of a security assessment program
1. Security Tests 2. Security Assessments 3. Security Audits
Generational fuzzing
A form of fuzzing that develops inputs based on models of expected inputs to perform the same task. This is also sometimes called intelligent fuzzing.
Mutation fuzzing
A form of fuzzing that modifies known inputs to generate synthetic inputs that may trigger unexpected behavior. Aka dumb fuzzing.
Misuse Case Testing
A process used by software testers to evaluate the vulnerability of their software to known risks. Testers first enumerate the known misuse cases and then attempt to exploit those use cases with manual and/or automated attack techniques. Aka abuse case testing.
Authenticated scan
A security scanner is granted authenticated read‐only access to the servers being scanned (typically via a user account) and can use this access to read configuration information from the target system and use that information when analyzing vulnerability testing results.
Fuzz Testing
A specialized dynamic testing technique that provides many different types of input to software to stress its limits and find previously undetected flaws. Fuzz testing software supplies invalid input to the software, either randomly generated or specially crafted to trigger known software vulnerabilities. The fuzz tester then monitors the performance of the application, watching for software crashes, buffer overflows, or other undesirable and/or unpredictable outcomes. zzuf tool can be utilized to perform fuzz testing
Vulnerability scan
A test performed on a system to find weaknesses in the security infrastructure. Vulnerability scans automatically probe systems, applications, and networks looking for weaknesses that may be exploited by an attacker. The scanning tools used in these tests provide quick point‐and‐click tests that perform otherwise tedious tasks without requiring manual intervention. Three types 1. Network discovery scans - NMAP 2. Network vulnerability scans - false positive/false negative. Nessus. 3. Web application vulnerability scan - Nessus.
Penetration test
An activity used to test the strength and effectiveness of deployed security measures with an authorized attempted intrusion attack. Penetration testing should be performed only with the consent and knowledge of the management staff. Common tool is Metasploit. 3 Types 1. White Box, Full-Knowledge 2. Gray Box, Partial-Knowledge 3. Black Box, Zero-Knowledge
Security Assessments
Comprehensive reviews of the security of a system, application, or other tested environment. During a security assessment, a trained information security professional performs a risk assessment that identifies vulnerabilities in the tested environment that may allow a compromise and makes recommendations for remediation, as needed.
Code Review
Developers other than the one who wrote the code review it for defects. Most common is Fagan inspections. Six steps 1. Planning 2. Overview 3. Preparation 4. Inspection 5. Rework 6. Follow-up
Dynamic Testing
Evaluates the security of software in a runtime environment and is often the only option for organizations deploying applications written by someone else.
Static Testing
Evaluates the security of software without running it by analyzing either the source code or the compiled application.
Security Audits
Evaluations performed with the purpose of demonstrating the effectiveness of controls to a third party. Security audits use many of the same techniques followed during security assessments but must be performed by independent auditors. The staff members who design, implement and monitor controls for an organization have an inherent conflict of interest when evaluating the effectiveness of those controls.
Ports
FTP 21 SSH 22 Telnet 23 SMTP 25 DNS 53 HTTP 80 POP3 110 NTP 123 HTTPS 443 Microsoft SQL Server 1433 Oracle 1521 H.323 1720 PPTP 1723 RDP 3389
Interface testing
Interface testing assesses the performance of modules against the interface specifications to ensure that they will work together properly when all of the development efforts are complete. 3 types of interfaces should be tested 1. Application Programming Interfaces (APIs) 2. User Interfaces (UIs) - GUI and Command Line 3. Physical Interfaces
Internal audits
Performed by an organization's internal audit staff and are typically intended for internal audiences
External audits
Performed by an outside auditing firm
Security Tests
Security tests verify that a control is functioning properly. These tests include automated scans, tool‐assisted penetration tests, and manual attempts to undermine security. Security testing should take place on a regular schedule, with attention paid to each of the key security controls protecting an organization.
Bit flipping
The activity of changing a bit to its opposite value. A technique commonly used in fuzzing to slightly modify input data.
Test Coverage Analysis
Used to estimate the degree of testing conducted against the new software