Type of Tests
- Black Box – Zero Knowledge provided, emulate a hacker on the edge, Closed test, external
- Gray Box – limited information provided, would need to perform discovery
- White Box – Full Knowledge, Network diagram, Could be for specific systems, Open Test
- White Hat – Ethical Hacker, Tests with owner permission
- Black Hat – Unethical Hacker, Tests without permission, typically malicious intent
- Grey Hat – Traits of both White hat and Black hat
- Script Kiddie – Person with few skills, uses open tools to attack, implies attacker with limited skills
- Penetration Testing
- NIST SP 800-115, Technical Guide to Information … – NIST Page
- Find and exploit vulnerabilities, attempt to access systems
- Security Assessment – look for vulnerabilities, report to owner
- SAST – “Static” test is run on uncompiled source code
- DAST – “Dynamic” test is run on compiled code while executing
Real User Monitoring
- Tool to emulate or script recordings of transactions
- Emulate user traffic, Stress testing, Load testing
- Testing at multiple times
Specialized Tests
- Fuzzy – Injects semi-random data into a program
- Misuse Case Testing
- How does app use bad data – SQL Injection
- How are errors handled – break application
- Going places not covered in use testing
- Try to force application to do something it is not supposed to do
- Input Validation Testinig
- Mandatory Input Fields
- Data and field types – a date should have a date field
- Buffer size – name field should be of limited size
- Data bounds – is the date a reasonable date
- Abuse Case Testing
- Use application that will cause the application to break and destroy data
- Try to get app to do something it isn’t supposed to do
CWE – Common Weakness Enumeration
OSSTMM – Open Source Security Testing Methodology Manual
Vulnerability Tests
- Common Methodology
- Discovery, Enumeration, Vulnerability Analysis, Penetration, Clean up, Document
- Automated tools likely provide numerous false positives that need to be verified
- CVE – Common Vulnerability Exposure
- Easier to share data across separate scanning tools
- Can be downloaded for offline use
- Scanners reference ‘cve’ to detail their findings
Pen Testing Risks
- Systems may go down
- VOIP doesn’t like being attacked
War Dialing – Open modem connected to a system with Network access could provide internal access to network
- Conduct annually
- Conduct after hours
User Monitoring
- Check with Legal before starting monitoring program
- Should be part of Internet Usage policies
- Should be part of Security Awareness Training
QA Testing
Integration Testing
Regression Testing
Unit Testing