Please enable JavaScript.
Coggle requires JavaScript to display documents.
CAP 15 Security assessment and testing (Testing your software (Code review…
CAP 15 Security assessment and testing
Building a security assessment and testing program
security tests (on regular schedule)
security assessments (they include a thougtful review of the threat environment - they generate an assessment report for the management)
security audits (similar to security assessment but performed by third party)
internal audits
external audits (performed by outside auditing firm)
third-party audits (conducted by another organization)
auditing standards (COBIT, ISO27001 and ISO27002)
Performing vulnerability assessment
Describing vulnerabilities
SCAP
CVE
CVSS
CCE
CPE
XCCDF
OVAL
vulnerability scans
network discovery (es nmap)
tcp syn scanning
tcp connect scanning
tcp ack scanning
Xmas scanning
nmap: port can be open, closed(no listening) or filtered (by the firewall)
network vulnerability assessment (es: nessus)
web application va
database va (es: sqlmap)
vulnerability management workflow
detection
validation
remediation
penetration testing (attempts to exploit systems)
white box pt
gray box pt
black box pt
Testing your software
Code review (peer review, Fagan inspections)
static testing
dynamic testing
mutation fuzzing
generational fuzzing
interface testing
misuse case testing
implementing security management processes
log reviews (SIEM)
account management
backup verification
key performance and risk indicators