Security Testing Methods

Slides:



Advertisements
Similar presentations
Unit Testing in the OO Context(Chapter 19-Roger P)
Advertisements

Testing and Quality Assurance
Software Fault Injection for Survivability Jeffrey M. Voas & Anup K. Ghosh Presented by Alison Teoh.
CMSC 345, Version 11/07 SD Vick from S. Mitchell Software Testing.
Penetration Testing Anand Sudula, CISA,CISSP SSA Global Technologies, India Anand Sudula, CISA,CISSP SSA Global Technologies, India.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.
Network Security Testing Techniques Presented By:- Sachin Vador.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
IBM Security Network Protection (XGS)
SELECTING AND IMPLEMENTING VULNERABILITY SCANNER FOR FUN AND PROFIT by Tim Jett and Mike Townes.
Chapter 11: Testing The dynamic verification of the behavior of a program on a finite set of test cases, suitable selected from the usually infinite execution.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.
SEC835 Database and Web application security Information Security Architecture.
Secure Software Development SW Penetration Testing Chapter 6 Rasool Jalili & M.S. Dousti Dept. of Computer Engineering Fall 2010.
Categories of Testing.
1 Software Testing (Part-II) Lecture Software Testing Software Testing is the process of finding the bugs in a software. It helps in Verifying and.
Using Windows Firewall and Windows Defender
Information Systems Security Computer System Life Cycle Security.
A Framework for Automated Web Application Security Evaluation
CPIS 357 Software Quality & Testing
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 4 Finding Network Vulnerabilities By Whitman, Mattord, & Austin© 2008 Course Technology.
A Security Review Process for Existing Software Applications
Introduction Telerik Software Academy Software Quality Assurance.
Software Testing Testing principles. Testing Testing involves operation of a system or application under controlled conditions & evaluating the results.
Computer Security and Penetration Testing
VULNERABILITY ASSESSMENT FOR THE POLICE DEPARTMENT’S NETWORK.
Advanced Computer Networks Topic 2: Characterization of Distributed Systems.
CSCE 522 Secure Software Development Best Practices.
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.
TESTING LEVELS Unit Testing Integration Testing System Testing Acceptance Testing.
.  Define risk and risk management  Describe the components of risk management  List and describe vulnerability scanning tools  Define penetration.
CSCE 201 Secure Software Development Best Practices.
Software Engineering Saeed Akhtar The University of Lahore.
Software Testing Mehwish Shafiq. Testing Testing is carried out to validate and verify the piece developed in order to give user a confidence to use reliable.
Role Of Network IDS in Network Perimeter Defense.
Department of Computer Science Introduction to Information Security Chapter 7 Activity Security Assessment Semester 1.
CSCE 548 Secure Software Development Penetration Testing.
Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.
GAME TESTING REQUIREMENTS AND METHODS GAME DESIGN.
Defining your requirements for a successful security (and compliance
Buffer Overflows Incomplete Access Control
SOFTWARE TESTING Date: 29-Dec-2016 By: Ram Karthick.
CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.
CSCE 548 Secure Software Development Risk-Based Security Testing
Chapter 7: Identifying Advanced Attacks
CompTIA Security+ SY0-401 Real Exam Question Answer
Chap 20. Vulnerability Analysis
SOFTWARE TESTING OVERVIEW
Secure Software Confidentiality Integrity Data Security Authentication
A Security Review Process for Existing Software Applications
Software Testing.
Software engineering – 1
Penetration Test Debrief
Testing the Software with Blinders on
Unauthorized Access Risk Mitigation Techniques
Everything You Need To Know About Penetration Testing.
Validating Your Information Security Program (ISP 3 of 3)
Intrusion Prevention Systems
CS240: Advanced Programming Concepts
Intrusion Detection system
Network hardening Chapter 14.
Chris Romano Andrew Shepardson IA 456
TYPES OF TESTING.
Code vulnerabilities Vulnerabilities are mistakes, errors or weaknesses in a piece of software’s source code that can be directly used by a hacker to perform.
6. Application Software Security
Information system analysis and design
Presentation transcript:

Security Testing Methods Dr. Imran Ghani

Why Security Testing? We assume that QA team knows about security issues We need process/tool to test Reduced support/maintenance/cost E.g., I don’t understand a frequent pop Increased Sale of your S/W If product is security certified

Functional Testing Testing the system according to its functional requirements. A functional requirement usually has the following form: “If a specific thing happens, then the software should respond in a certain way." The test will check the “if” part as requirement Login / logout Search

Functional Testing Examples of functional security requirements: a user's account is disabled after three unsuccessful login attempts only certain characters are permitted in a URL These positive functional requirements can be tested in traditional ways, such as attempting three unsuccessful login attempts and verifying that the account is disabled

Functional Testing Techniques Ad hoc testing (experience-based testing) and exploratory testing: Tests are based on the tester's skill, intuition, and experience Data-flow testing: Test interfaces between subsystems Load and performance testing: Capacity and response time) by exercising the system to the maximum load.

Risk-Based Testing Risk-based testing addresses negative requirements, which state what a software system should not do. Security test engineers typically look for common mistakes and test suspected weaknesses in the software. Abuse/misuse test are executed. Incident/bugs reports are used.

Security Testing Considerations Throughout the SDLC Unit testing where individual classes, methods, functions, or other relatively small components are tested Integration testing where the goal is to test whether software components work together as they should If the calling function and called function assume that the other system checks the value in a variable. System testing: where the entire system is under test

Black-Box Testing Black-box testing uses methods that do not require access to source code. Either the test engineer does not have access or the details of the source code are irrelevant to the properties being tested. Black-box testing focuses on the externally visible behavior (functionality) of the software, such as requirements, protocol specifications, APIs, or even attempted attacks

Black-Box Testing Focuses on specific areas such as network security, database security, security subsystems, and Web application security. For example, network security tools include port scanners to identify all active devices connected to the network, services operating on systems connected to the network, and applications running for each identified service.

White-box testing Focuses on internal structures or workings of an application Usually done at the unit level. It can test paths within a unit, paths between units during integration, and between subsystems during a system level test. Through this method of test design can uncover many errors or problems. Control flow testing Data flow testing

Penetration Testing Allows project managers to assess how an attacker is likely to try to weaken a system. Term "penetration testing" refers to testing the security of a computer system and/or software application by attempting to compromise its security in particular, the security of the underlying operating system and network component configurations.

Penetration Testing Tools used in penetration testing today include host-based, network-based, and application scanning Network-based penetration testing follow a process including Target acquisition: test engineer identifies test targets, list of network addresses Inventory: Test all available network services Penetrate: Each identified vulnerability is exploited in an attempt to penetrate the target system Continue: Test engineer obtains access on any of the systems where identified vulnerabilities were exploited and continues the testing process from the network location(s) of each compromised system

Summary Thinking the way attackers think Integrating security testing into the SDLC Using threat modeling to prioritize testing based on risk Building test labs for conducting white, and black-box testing Choosing and using the right tools Executing today's leading attacks, from fault injection to buffer overflows Determining which flaws are most likely to be exploited

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.