Static and dynamic testing methods are used to test software security. Static testing analyzes source code and compiled applications without executing them, while dynamic testing analyzes running software using techniques like fuzz testing and mutation testing. Security testing aims to ensure security controls are properly applied and vulnerabilities are identified through automated scans, assessments, and manual testing. Software threats include viruses, rootkits, and malware, while testing focuses on issues like buffer overflows, privilege escalation, and backdoors. Security software, logs, and protocols help with monitoring, detection, prevention, and analysis.
Static and dynamic testing methods are used to test software security. Static testing analyzes source code and compiled applications without executing them, while dynamic testing analyzes running software using techniques like fuzz testing and mutation testing. Security testing aims to ensure security controls are properly applied and vulnerabilities are identified through automated scans, assessments, and manual testing. Software threats include viruses, rootkits, and malware, while testing focuses on issues like buffer overflows, privilege escalation, and backdoors. Security software, logs, and protocols help with monitoring, detection, prevention, and analysis.
Static and dynamic testing methods are used to test software security. Static testing analyzes source code and compiled applications without executing them, while dynamic testing analyzes running software using techniques like fuzz testing and mutation testing. Security testing aims to ensure security controls are properly applied and vulnerabilities are identified through automated scans, assessments, and manual testing. Software threats include viruses, rootkits, and malware, while testing focuses on issues like buffer overflows, privilege escalation, and backdoors. Security software, logs, and protocols help with monitoring, detection, prevention, and analysis.
Domain 6: Security Assessment & Testing CISSP Cheat Sheet Series
Software Testing Software Development Security Best Practices
Software security analysis using automated tools. WASC Web Application Security Consortium Static Testing Do not analyze either the source code or the OWASP Open Web Application Security Project compiled application. Eg. Buffer overflow BSI the Build Security In initiative Analyze and test using running environment. Use IEC The International Electrotechnical Commission to test software provided by third parties where no Dynamic Testing access to software code. Eg. cross-site scripting, SQL injection Security Testing Type of dynamic testing which use specific inputs To make sure security controls are properly applied and in use. Automated scans, Fuzz Testing to detect flaws under stress/load. Eg. input invalid vulnerability assessments and manual testing. parameters to test Software Threats Mutation / Dumb Fuzzing Using already modified input values to test. Stealth virus • Polymorphic virus • Macro virus • Viruses Generational / Intelligent • Spyware/Adware • Botnet • worm Inputs models of expected inputs. Fuzzing Kernel-mode Rootkit • Bootkit • User-mode Rootkit • Rootkit Virtual Rootkit • Firmware Rootkit Evaluate the vulnerability of known risks and Misuse Case Testing Source Code Issues Buffer Overflow • Escalation of Privileges • Backdoor attacks. Evaluate performance of software modules Antivirus software • Antimalware software • Security Malware Protection Interface Testing against the interface specifications to validate Policies working status. Considerations Application Programming Test APIs to verify web application meets all • Resources availability Interfaces (APIs) security requirements. • Level of critical and sensitiveness of the system under testing Includes graphic user interfaces (GUIs) and • Technical failures User Interfaces (UIs) command-line interfaces (CLI). Review of user • Control misconfigurations result in security loopholes interfaces against requirement specifications. • Security attack risks • Risk of performance changes Eg. in physical machines such as ATM, card Physical Interfaces • Impact on normal operations readers etc. Verification & Validation Testing a small part of the system to test units are Unit Testing • Verification – SDLC design output meets requirements good for integration into final product. • Validation – Test to ensure software meets requirements Transfer of data and control between program Integration Level Testing Security Software interfaces. Verify system has all the required specifications • Antimalware and Antivirus – Scan and log malware and virus detection System Level Testing • IDS/IPS = Real time and promiscuous monitoring for attacks and functions. • Network-based IDS • Local network monitoring and passive and header level scanning .No host level Log Management System scan. Analyze daily operations and review possible attacks to • HOST BASED OPSEC process apply countermeasures. • Monitor hosts using event logs Pen-test Testing of network security in view of a hacker. • Intrusion prevention system (IPS) – Attack detects and prevent Port scanner Check any port or port range open in a computer. • Remote Access Software Should be access via a VPN • Vulnerability assessment Software – should be updated and patched Ring zero Internal code of the system. • Routers – policy based access control Operational assurance Verify software meets security requirements. Logs Supervisor mode Processes running in internal protected ring. Network Flow Network traffic capture Audit logging Events related to hardware device login and access Threat Assessment Modeling Network Time Protocol Should synchronize across entire network to have correct Evaluate threats against applications or operating (NTP) and consistent time in logs and device traffic flows. STRIDE systems. Syslog Device event message log standard. Use of false identity to gain access to system identity. Event types Errors, Warnings, Information, Success Audits, Failure Spoofing Can use IP/ MAC address, usernames, wireless network Simple Network SSIDs. Management Protocol Support for different devices such as Cisco. Cause unauthorized modifications of data in transit or in (SNMP) Tampering storage. Results in violation of integrity as well as Monitoring and auditing availability. Define a clipping level. A.K.A BASELINE Repudiation Deny an action or activity carried out by an attacker. • Audit trails – event/transaction date/time, author /owner of the event • Availability – Log archival Distribution of private/confidential or restricted Information disclosure • Log Analysis – examine logs information to unauthorized parties. Code Review and Testing Attack result in increase the level privileges for a limited Elevation of privilege Person other than the code writer/developer check the code to find errors user account. Fagan inspections – Planning • Overview • Preparation • Inspection • Rework • Regular monitoring of Number of open vulnerabilities and compromised steps Follow-up key performance and accounts, vulnerability resolve time, number of detected Code Coverage Report Details of the tested code structure risk indicators including software flaws etc. Use cases Percentage of the tested code against total cases Automatically probe systems, applications, and Vulnerability scans Code Review Report Report create in manual code testing networks. Black-box testing Test externally without testing internal structure Sends a packet with SYN flag set. Also known as TCP SYN Scanning Dynamic Testing Test code in run time “half-open” scanning. White-box testing Detailed testing by accessing code and internal structure Perform when a user running the scan does not have the TCP Connect Scanning CVE Common Vulnerability and Exposures dictionary necessary permissions to run a half-open scan. CVSS Common Vulnerability Scoring System TCP ACK Scanning Sends a packet with the ACK flag set. NVD National Vulnerability Database Xmas Scanning Sends a packet with the FIN, PSH, and URG flags set. Verify the installations required for testing do not have Regression Testing Passive Scanning Detect rogue scanning devices in wireless networks. any issues with running system Authenticated scans Read-only account to access configuration files. Integration Testing Test using two or more components together