Domain 6: Security Assessment & Testing (Weightage 12%)

Security assessment and testing are critical components of any information security program. Overall security assessments, includes vulnerability scanning, penetration testing, security audits; and testing software via static and dynamic methods.

A penetration tester is a white hat hacker who receives authorization to attempt to break into an organization’s physical or electronic perimeter. The penetration tests includes tests of Network internet, internal or DMZ, wireless, war dialing, and physical access. A zero-knowledge test, also called black-box test, is “blind”; the penetration tester begins with no external or trusted information and begins the attack with public information only. A full-knowledge test (also called crystal-box test) provides internal information to the penetration tester, including network diagrams, policies and procedures, and sometimes reports from previous penetration testers. Partial-knowledge tests are in between zero and full knowledge; the penetration tester receives some limited trusted information. Penetration testers must ensure the confidentiality of any sensitive data that is accessed during the test. Penetration testers must ensure the system integrity and data integrity of their client’s systems.

Next it covers Vulnerability Testing or scanning which is to scan a network or system for a list of predefined vulnerabilities such as system misconfiguration, outdated software, or a lack of patching. A security audit is a test against a published standard. Organizations may be audited for Payment Card Industry Data Security Standard (PCI DSS) compliance. Security assessments are a holistic approach to assessing the effectiveness of access control. Reviewing security audit logs within an IT system is one of the easiest ways to verify that access control mechanisms are performing adequately and acts as detective control.

Next it discusses about Software Testing methods which is basically testing the features and stability of the software, testing increasingly focuses on discovering specific programmer errors leading to vulnerabilities that risk system compromise, including a lack of bounds checking. Static testing tests the code passively; the code is not running. This includes walkthroughs, syntax checking, and code reviews. Dynamic testing tests the code while executing it. With dynamic testing, security checks are performed while actually running or executing the code or application under review. A traceability matrix, sometimes called a requirements traceability matrix (RTM), can be used to map customers’ requirements to the software testing plan; it traces the requirements and ensures that they are being met.

It covers Fuzz testing which is a type of black-box testing that submits random, malformed data as inputs into software programs to determine if they will crash. Misuse case testing leverages use cases for applications, which spell out how various functionalities will be leveraged within an application. Combinatorial software testing is a black-box testing method that seeks to identify and test all unique combinations of software inputs. Test or code coverage analysis attempts to identify the degree to which code testing applies to the entire application. Interface testing is primarily concerned with appropriate functionality being exposed across all the ways users can interact with the application.

AUTHOR
InfoSec Support