Upload
baskar-p
View
5.369
Download
1
Embed Size (px)
DESCRIPTION
Citation preview
Baskar P
Agenda
What is Security Testing
Purpose of Security Testing
Basic Security Testing Concepts
Security Testing Techniques
Security Testing Tools
What is Security Testing
Security testing is a process to determine that an information system protects data and maintains functionality.
To check whether there is any information leakage.
To test the application whether it has unauthorized access and having the encoded security code.
To finding out all the potential loopholes and weaknesses of the system.
Purpose of Security Testing
Primary purpose of security testing is to identify the vulnerabilities and subsequently repairing them.
Security Testing helps in improving the current system and also helps in ensuring that the system will work for longer time.
Security test helps in finding out loopholes that can cause loss of important information.
Six basic security concepts
Confidentiality
Integrity
Authentication
Authorization
Availability
Non-repudiation
Basic security concepts
Confidentiality
Ensuring information is accessible only for those with authorized access and to prevent information theft.
Integrity
A measure intended to allow the receiver to determine that the information which it is providing is correct.
Authentication
The process of establishing the identity of the user.
Basic security concepts (Cont..)
AuthorizationThe process of determining that a requester is
allowed to receive a service or perform an operation.
AvailabilityAssuring information and communications services
will be ready for use when expected.
Non-repudiationA measure intended to prevent the later denial that
an action happened, or a communication that took place etc.
Security Testing TechniquesMain security testing techniques are:
Vulnerability Scanning
Security Scanning
Penetration Testing
Ethical Hacking
Risk Assessment
Security Auditing
Posture Assessment & Security Testing
Password cracking
Vulnerability Scanning
It involves scanning of the application for all known vulnerabilities.
A computer program designed to assess computers, computer systems, networks or applications for weaknesses.
Generally done through various vulnerability scanning software. Ex : Nessus, Sara, and ISS.
Security Scanning
Scanning and verification of the system and applications. Find out the weaknesses in the OS, applications and
networks.
Penetration Testing
Tester may try to enter into the application / system with the help of some other application or with the help of combinations of loopholes that the application has kept open unknowingly.
It is the most effective way to practically find out potential loopholes in the application.
Ethical Hacking
Ethical Hacking involves number of penetration tests over the wide network on the system under test. It is conducted by ethical hackers to find possible problems in the system.
Risk Assessment
Is a method of analyzing and deciding the risk that depends upon the type of loss and the possibility / probability of loss occurrence.
Risk assessment is carried out in the form of various interviews, discussions and analysis of the same.
Security Auditing
Security Auditing involves hands on internal inspection of Operating Systems and Applications, often via line-by-line inspection of the code.
A security audit is a systematic evaluation of the security of a company's information system.
Posture Assessment and Security Testing
It combines Security Scanning, Ethical Hacking and Risk Assessments to show an overall Security Posture of the organization.
Password Cracking
Password cracking programs can be used to identify weak passwords.
Password cracking verifies that users are employing sufficiently strong passwords.
How to write Security test cases
It is important to segregate based on Roles.
We need to delve into the negative scenario for a particular
event initially before taking up the positive scenarios.
Security Testing Tools
Nessus
Nikto
Gendarme
Flawfinder