Please enable JavaScript.
Coggle requires JavaScript to display documents.
Security Assessments & Testx (Software Testing (Software Testx types…
Security Assessments & Testx
Software Testing
Code/Peer-2-Peer Review
E.g = Fagan inspection
rigid process with ffx steps
Plannx
Overview
Prepn
inspectn
Rework
Follow up
Software Testx types
Static
review code usx automated tools
Dynamic
uses web scannx tools to assess software sec against xss, etc
Fuzz
Stress test sofgtware ç invalid input
trigger software issues e.g buffer overflow, format string vuln
Types
Mutation
aka dumb
uses & manipulates input values from past operations
e.g tool = ZZUF
Generational
aka intelligent
creates new fuzz input
Misuse Case
Interface
Types of interface testx
API (app programmx interface)
User Interface
Physical Interface
Sec Assessments
comprehensive system review
uses both internal assessors (target org's sec team) & external assessors (acctx firms like ernst & young, PWC, KPMG etc)
Risk assessments
Identify vul via
security testing tools such as
automated scans
manual pen scans
Network Discovery Scan
Provides list of exposed ports on target network
Unable to detect zero-day vul
Scannx Methods
XMAS
TCP ACK
TCP SYN
TCP Connect
Sample tool
NMAP (an opensource software from 1997)
Network vul scan
Probe for network vul
Results type
false positive
false negative
Sample tools
Nessus
QualysGuard
Nexpose
Aircrack
Used strictly 4 wireless networks
OpenVas (opensource )
Web Vul scan
DB vul scan
Website monitorx
scanner tools used
Nessus (Tenable.Sc)
Acunetix
Nikto
Wapiti
BurpSuite Proxy tool
Website Monitorx types
Passive
analyzes network traffic in real time
E.g = Real User Monitorx (RUM)
Synthetic/Active
improvises tranactns for d website
Vul description
Recommend fixes/remediation
Review value of target env
Review threat env
Assess current & future risks
Vulnerability Mgmt which uses the workflow below
Detection
Validation & prioritization of issue based on severity level, and SLA
Remediation
Audits
Similar 2 sec assessments but restricted to independent auditors for an impartial review of a system's controls
In general audits can be internal, external or third-party/independent
Types of Auditors
Internal
Extenal
Third-party/independent
rely on the AICPA (american institute of public accts) standard SSAE16 reporting controls
Standard used by assessors
Nist 800-53a states that
assessors shld review d
specs
/docs (policy, procedure, design, reqts 4 target system)
Review d software/hardware/firmware control
mechanisms
4 d target system
review admin duties/activities e.g bkup, log file exports, acct mgmt
Interview admins abt dir roles & responsibilities
Security Tests
Assess control f&nality via
Design & validatn of testx strategy to ensure CIA is maintained at all times
Routinely implement security tests
frequent automated scans
Annual Pen tests
Manual hackx
Review results of d testx effort