Tools for Security Testing

Similar documents
n Explain penetration testing concepts n Explain vulnerability scanning concepts n Reconnaissance is the first step of performing a pen test

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

SECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS

Trustwave Managed Security Testing

ShiftLeft. Real-World Runtime Protection Benchmarking

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring

THE CONTRAST ASSESS COST ADVANTAGE

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Choosing the Right Security Assessment

Taking White Hats to the Laundry: How to Strengthen Testing in Common Criteria

Security Solutions. Overview. Business Needs

Application Security. Doug Ashbaugh CISSP, CISA, CSSLP. Solving the Software Quality Puzzle

Fending Off Cyber Attacks Hardening ECUs by Fuzz Testing

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

CyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET

An ICS Whitepaper Choosing the Right Security Assessment

MARCH Secure Software Development WHAT TO CONSIDER

Automating the Top 20 CIS Critical Security Controls

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Secure Agile How to make secure applications using Agile Methods Thomas Stiehm, CTO

Procurement Language for Supply Chain Cyber Assurance

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Kaspersky Enterprise Cybersecurity. Kaspersky Security Assessment Services. #truecybersecurity

Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT

Application Security Approach

Analyzing & Defining Web Application Vulnerabilities With Dynamic Analysis And Web Mining

WHAT S NEW IN SECURITY+ SY0-401?

Penetration testing.

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

MIS Week 9 Host Hardening

Web Application Penetration Testing

Principles of ICT Systems and Data Security

Notice for procurement of Penetration Testing Tools for Islami Bank Bangladesh Limited.

WEB APPLICATION VULNERABILITIES

XVIII. Software Testing. Laurea Triennale in Informatica Corso di Ingegneria del Software I A.A. 2006/2007 Andrea Polini

Software Vulnerability Assessment & Secure Storage

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

CYSE 411/AIT 681 Secure Software Engineering. Topic #6. Seven Software Security Touchpoints (III) Instructor: Dr. Kun Sun

Tools For Vulnerability Scanning and Penetration Testing

Client-server application testing plan

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

4. Risk-Based Security Testing. Reading. CYSE 411/AIT 681 Secure Software Engineering. Seven Touchpoints. Application of Touchpoints

Sql Injection Attacks And Defense

Securing Your Microsoft Azure Virtual Networks

CoreMax Consulting s Cyber Security Roadmap

OWASP Application Security Verification Standard (ASVS) Web Application Edition OWASP 03/09. The OWASP Foundation

DOWNLOAD OR READ : WEB APPLICATION SECURITY AND DEFENSE STANDARD REQUIREMENTS PDF EBOOK EPUB MOBI

The Value of Automated Penetration Testing White Paper

Securing Your Amazon Web Services Virtual Networks

Certification Report

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

CAMSCANNER TURN YOUR PHONE AND TABLET INTO SCANNER FOR

Certification Report

DOWNLOAD OR READ : WEB APPLICATION SECURITY TESTING THIRD EDITION PDF EBOOK EPUB MOBI

SECURITY TESTING. Towards a safer web world

Certification Report

Automated, Real-Time Risk Analysis & Remediation

Integrigy Consulting Overview

Whitepaper. Advanced Threat Hunting with Carbon Black Enterprise Response

Chapter 5: Vulnerability Analysis

Advanced Ethical Hacking & Penetration Testing. Ethical Hacking

Weak Spots Enterprise Mobility Management. Dr. Johannes Hoffmann

A Model for Penetration Testing

10. Software Testing Fundamental Concepts

Automated Firewall Change Management Securing change management workflow to ensure continuous compliance and reduce risk

Vulnerability Management

How to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis

COMMON CRITERIA CERTIFICATION REPORT

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

AppScan Deployment APPLICATION SECURITY SERVICES. Colin Bell. Applications Security Senior Practice Manager

CASE STUDY. How 16 Penetration Tests Missed A Vulnerability Which Could ve Cost One Company Over $103 Million In PCI Fines

Software Testing Strategies. Slides copyright 1996, 2001, 2005, 2009, 2014 by Roger S. Pressman. For non-profit educational use only

Certification Report

Evaluating Website Security with Penetration Testing Methodology

Introduction to Penetration Testing: Part One. Eugene Davis UAH Information Security Club February 21, 2013

6 Vulnerabilities of the Retail Payment Ecosystem

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

ScienceDirect. Vulnerability Assessment & Penetration Testing as a Cyber Defence Technology

Vulnerability Assessment with Application Security

Zimperium Global Threat Data

A Passage to Penetration Testing!

5 Trends That Will Impact Your IT Planning in Layered Security. Executive Brief

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

INTERACTIVE APPLICATION SECURITY TESTING (IAST)

RiskSense Attack Surface Validation for Web Applications

OWASP RFP CRITERIA v 1.1

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

FedRAMP Security Assessment Plan (SAP) Training

A Security Admin's Survival Guide to the GDPR.

ASSURANCE PENETRATION TESTING

Testing Performance of Mobile Apps Local Mobile Testing Techniques and Tips

PCI DSS v3.2 Mapping 1.4. Kaspersky Endpoint Security. Kaspersky Enterprise Cybersecurity

De-risk Your Applications. SUBSCRIBE TO EVRY S SECURITY TESTING AS A SERVICE (STaaS) TODAY!

The New Normal. Unique Challenges When Monitoring Hybrid Cloud Environments

RiskSense Attack Surface Validation for IoT Systems

Web Applications (Part 2) The Hackers New Target

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Executive Summary. Flex Bounty Program Overview. Bugcrowd Inc Page 2 of 7

Transcription:

Tools for Security Testing

2 Due to cloud and mobile computing, new security breaches occur daily as holes are discovered and exploited. Security Testing Tools-When, What kind and Where Due to cloud and mobile computing, devices, data and their new usage contexts are causing a great concern for security testing as new security breaches occur daily as holes are discovered and exploited. To conduct security testing requires an in-depth understanding in different fields, such as system architecture, communication protocols, encryption and decryption knowledge, etc. Since it is impossible to be an expert in all of these fields, security tools are used to supplement knowledge and save the time. Tools can be used to support testing processes, to identify vulnerabilities, and to gather related information of target sites or applications. There are hundreds of security tools available, commercial or free, for the enterprise level as well as for individual usage. With so many choices, how do you pick out the best tool(s) for your specific objective(s). To do this, we use a structured decision process and consider three aspects when choosing tools for security tests; testing category, testing field and testing process (See Figure 1).

3 Figure 1. Process in Choosing Security Tools Testing Category: As shown in Figure 1, let s e a i e se urit testi g t pes first: 1) Dynamic versus Static testing Security Testing can be categorized into dynamic testing and static testing. Static testing is implemented by checking source code for bug patterns that are abstracted from the code with defects. For a brief introduction to bug patterns please refer to http://www.ibm.com/developerworks/java/library/j-diag1/index.html. In most cases, we verify security when the application is running in order to more accurately simulate what would happen in the real world. This is called dynamic testing. Many methodologies have been developed for dynamic security testing like penetration, security scanning, etc. There are no clear boundaries or strict definitions amongst these methodologies. For instance, penetration will implement scanning to collect information.

4 2) White, Gray and Black box testing Another popular way to classify testing is by whether the testers know the internal structure of the code and how much they know. In security testing, white-box testing is quite similar to static testing. You have to check the code in white-box testing and the tools used here are very similar to static testing. There is no pure black-box way to conduct security tests. Gray-box tests are employed most of the time in order to attain sufficient system penetration. Actually, the most popular security testing is to use a combination of Black-box testing (to collect information) and Gray-box testing techniques (to deeply penetrate) to verify security in a dynamic (or running) environment. This article focuses on the tools in this niche of security testing. Although these security testing tools support testers to identify potential security vulnerabilities, we still cannot completely rely on just the tools by themselves or in isolation. Different tools should be used to doublecheck vulnerabilities and sometimes manual testing is necessary to reproduce the vulnerability and understand it s severity. In addition, you must keep your tools up to date as new security vulnerabilities are discovered constantly. Investigating the right tool or tools to use and verifying that their functionality covers hat ou eed is i porta t other ise ou a e u a le to u o er our soft are s se urit holes. Testing Field: When examining and analyzing tools, it is convenient to categorize them by different criteria. Some categorizations include: 1) Tools designed for different infrastructure components Fields Descriptions Tools Network Security Database security Subsystem or middleware Web application security These tools focus on identifying security vulnerabilities on externally accessible network-connected devices such as firewalls, servers, and routers. Some network scanning tools also perform vulnerability scanning functions. Database security test tools focus on identifying vulnerabilities in a system s database. These can be the result of incorrect configuration of the database security parameters or improper implementation of the business logic used to access the database (e.g., SQL insertion attacks). Database scanning tools are generally included in network security or web application security scanning tools. These tools are used during the implementation cycle to test whether security-critical subsystems have been designed and implemented properly. As an example, these tools test for correct operation of random number generators, cryptographic processors, and other securitycritical components. Web application security tools highlight security issues within applications accessed via the Internet. Unlike network security tools, web application security tools focus on identifying vulnerabilities and abnormal behavior within applications. For example over ports 80 (HTTP) and 443 (HTTPS). Various scanners include NMap, SuperScan. Foundstone Examples include Toad for Oracle, OWASP SQLiX and SQLInjector, Sqlninja, etc. NIST Statistical Test Suite for random number generation For example, Medusa for brute Force, AppScan for Web Scanning, etc.

Testing Process: 5 Another way to categorize security tools is according to the testing process, as shown in Figure 2. Figure 2. Tools in categories divided by testing process flow Gather information: In this step, the information about the number of machines, type of machines, operating systems, and etc, should be gathered to scope out the possible targets, looking for possible weaknesses. System scanning: After you have the internal topology of a web site, investigating the status of each device (Routers, Servers, Switchers and Computers, etc) usually requires system scanners. Multiple Vulnerability Detection: In this step, multi-vulnerability scanners can roughly find out what kinds of vulnerabilities may exist. Usually, the tools for this purpose have embedded databases with pre-defined vulnerabilities. Specific Vulnerability Detection: Two kinds of defects should be verified in this step. Firstly, those well-known vulnerabilities, like SQL injection and XSS injection. The other type is a defect is for a specific application, like defects in Office or Adobe products. Some tools like MS05-039 Scan are developed for Microsoft products, which can be found on the official web sites. Tool Selection Criteria There are many articles and publications on selecting security tools, some of which provide great detail such as http://www.uml.org.cn/test/12/automated Testing Tool Evaluation Matrix.pdf. But based on our experience, we summarize three key criteria for tool selection, while other factors should be used only in special cases and most often are not used.

6 Objective Description Suggestions Test Coverage Coverage refers to the ability of the tools or tools combination to cover all the categories of vulnerabilities that testing activities should exploit. Before evaluating tools, you need a list of vulnerabilities that may exist and need to verify. Accuracy of false positive and leakage Budget This concerns the reputation and trustworthiness of tools. If there are a huge number of false positives, or the tools are not up to date causing a lot of leakage, it will require manual evaluation and verification of the results. That is a difficult and time consuming task. Commercial tools are usually powerful and provided with after sales services. Vulnerability databases and patterns are maintained by providers for new vulnerabilities. Of course, they can be quite expensive. Free tools usually focus on a specific item, like investigating one kind of vulnerability or scanning ports. It is etter to use a ti e tools, hi h are continuously updated. Also, you need to choose backup tools and compare, verify and validate results. Of course, it depends on your budget. But cost refers not only to money, but also time. Free tools may save you money but are time consuming. However, sometimes they are necessary even when you have commercial tools in order to dig deeper into specific vulnerability areas and to verify results from other tools. Conclusion Security testing, more than ever, needs to be an integral part of software testing and should be planned for as a specific part of the test plan. Especially with software exposed to so many devices over the Internet and through the cloud, you need tools to carry out your mission and efficiently conduct software security testing in order to discover vulnerabilities as fast as possible. Of course manual testing can be used as a supplement, but there is no way you can uncover all the vulnerabilities. Different tools can sometimes significantly affect the testing results and choosing the right tool can be time consuming, especially when you may need more than one tool for deeper analysis and for cross-checking results. Rather than getting lost in the tool forest, its best to follow a step by step process to pick out the tools in an organized manner according to your objectives. This will save you a lot of time while also helping you understand the purpose of your security tests and your results. And with good security test results, you ll e a le to ake the orre tio s to re o e ul era ilities so ou do t e d up o the front page of the New York Times. XBOSoft Inc. 640 Rocca Ave. South San Francisco, CA 94080 +1 408-350-0508

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback