Security Assessment and Testing

• Security Testing

  • Verify that controls are working properly

    • Includes

      • Automated scans

      • Tool-assisted penetration tests

      • Manual attempts to undermine security

    • Factors to consider

      • Availability of security testing resources

      • Criticality of systems and applications protected by the security controls

      • Sensitivity of information

      • Likelihood of technical failure

      • Likelihood of misconfiguration

      • Risk of coming under attack

      • Rate of change of the control configuration

      • Difficulty and time required to perform a control test

      • Impact of the test on normal business operations

• Security Assessments

  • Comprehensive reviews of the security of a system, application or other environments

  • Performs a risk assessment that identifies vulnerabilities in the environment that may allow a compromise and makes recommendations for remediation

  • Reviews of the threat environment, current and future risks and the value of the targeted environment

  • Produces an assessment report addressed

  • Conducted by an internal team or can be outsourced to a third party assessment team

• Security Audits

  • Have to performed by independent auditors

  • Meant for internal use only and are designed to evaluate controls and find improvements

  • Meant to show how effective are controls to a third party

  • Three main types

    • Internal

    • External

    • Third-party

• Internal Audits

  • Performed by an organization's internal audit staff and meant for internal audiences

• External Audits

  • Performed by an outside auditing form

  • Auditing firms

    • Ernst & Young

    • Deloitte & Touche

    • PricewaterhouseCoopers

    • KPMG

• Third-Party Audits

  • Conducted by, or on behalf of another organization

• Auditing Standards

  • Standards provide the description of control objectives that should be met

  • Examples

    • COBIT - describes the common requirements that organizations should have in place surrounding their information systems

    • ISO 27001 - standard approach for setting up an information security management system

    • ISO 27002 - goes into specifics of information security controls

Performing Vulnerability Assessments

• Describing Vulnerabilities

  • NIST provides Security Content Automation Protocol (SCAP)

  • CVE - provides a naming system for describing security vulnerabilities

  • CVSS - provides a standardized scoring system for describing the severity of security vulnerabilities

  • CCE - provides a naming system for system configuration issues

  • CPE - provides a naming system for operating systems, applications and devices

  • XCCDF - provides a language for specifying security checklists

  • OVAL - provides a language for describing security testing procedures

• Vulnerability Management Workflow

  • Steps

    • Detection - initial identification of a vulnerability

    • Validation - admins confirm the vulnerability to determine that it is not a false positive report

    • Remediation - validated vulnerabilities then should be remediated

Software Testing

• Code Review

  • The foundation of software assessment programs

  • Steps

    1. Planning

    2. Overview

    3. Preparation

    4. Inspection

    5. Rework

    6. Follow-up

• Static Testing

  • Evaluates the security of software without running it by analyzing either the source code or the compiled application

• Dynamic Testing

  • Evaluates the security of software in a runtime environment

  • Often the only option for organizations deploying applications written by someone else

• Fuzz Testing

  • Specialized dynamic testing technique that provides many different types of input to software to stress its limits and find new flaws

  • Types

    • Mutation - takes previous input values from actual operation of the software and manipulates it to create fuzzed input

    • Generational - Develops data models and creates new fuzzed input based on an understanding of the types of data used by the program.

Interface Testing

• An important part of the development of complex software systems

• Tests the performance of modules against the interface specifications to make sure they will work properly

• Types

  • APIs - A standardized way for code modules to interact and may be exposed to the outside world through web services

  • User Interfaces (UIs) - Should include reviews of all user interfaces to verify that they function properly

  • Physical Interfaces

Key Performance and Risk Indicators

• Number of open vulnerabilities

• Time to resolve vulnerabilities

• Vulnerability / defect recurrence

• Number of compromised accounts

• Number of software flaws detected in preproduction scanning

• Repeat audit findings

• User attempts to visit known malicious sites

Related Notes

• Vulnerability Scanning