Domain 6 – Testing

Type of Tests

• Black Box – Zero Knowledge provided, emulate a hacker on the edge, Closed test, external
• Gray Box – limited information provided, would need to perform discovery
• White Box – Full Knowledge, Network diagram, Could be for specific systems, Open Test
• White Hat – Ethical Hacker, Tests with owner permission
• Black Hat – Unethical Hacker, Tests without permission, typically malicious intent
• Grey Hat – Traits of both White hat and Black hat
• Script Kiddie – Person with few skills, uses open tools to attack, implies attacker with limited skills
• Penetration Testing
  • NIST SP 800-115, Technical Guide to Information … – NIST Page
  • Find and exploit vulnerabilities, attempt to access systems
• Security Assessment – look for vulnerabilities, report to owner
• SAST – “Static” test is run on uncompiled source code
• DAST – “Dynamic” test is  run on compiled code while executing

Real User Monitoring

• Tool to emulate or script recordings of transactions
• Emulate user traffic, Stress testing, Load testing
• Testing at multiple times

Specialized Tests

• Fuzzy – Injects semi-random data into a program
• Misuse Case Testing
  • How does app use bad data – SQL Injection
  • How are errors handled – break application
  • Going places not covered in use testing
  • Try to force application to do something it is not supposed to do
• Input Validation Testinig
• Mandatory Input Fields
  • Data and field types – a date should have a date field
  • Buffer size – name field should be of limited size
  • Data bounds – is the date a reasonable date
• Abuse Case Testing
  • Use application that will cause the application to break and destroy data
  • Try to get app to do something it isn’t supposed to do

CWE – Common Weakness Enumeration

OSSTMM – Open Source Security Testing Methodology Manual

Vulnerability Tests

• Common Methodology
• Discovery, Enumeration, Vulnerability Analysis, Penetration, Clean up, Document
• Automated tools likely provide numerous false positives that need to be verified
• CVE – Common Vulnerability Exposure
  • Easier to share data across separate scanning tools
  • Can be downloaded for offline use
  • Scanners reference ‘cve’ to detail their findings

Pen Testing Risks

• Systems may go down
• VOIP doesn’t like being attacked

War Dialing – Open modem connected to  a system with Network access could provide internal access to network

• Conduct annually
• Conduct after hours

User Monitoring

• Check with Legal before starting monitoring program
• Should be part of Internet Usage policies
• Should be part of Security Awareness Training

QA Testing

Integration Testing

Regression Testing

Unit Testing