Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Testing Methods

Published byAlan Rodgers Modified over 6 years ago

Similar presentations

Presentation on theme: "Security Testing Methods"— Presentation transcript:

1 Security Testing Methods
Dr. Imran Ghani

2 Why Security Testing? We assume that QA team knows about security issues We need process/tool to test Reduced support/maintenance/cost E.g., I don’t understand a frequent pop Increased Sale of your S/W If product is security certified

3 Functional Testing Testing the system according to its functional requirements. A functional requirement usually has the following form: “If a specific thing happens, then the software should respond in a certain way." The test will check the “if” part as requirement Login / logout Search

4 Functional Testing Examples of functional security requirements:
a user's account is disabled after three unsuccessful login attempts only certain characters are permitted in a URL These positive functional requirements can be tested in traditional ways, such as attempting three unsuccessful login attempts and verifying that the account is disabled

5 Functional Testing Techniques
Ad hoc testing (experience-based testing) and exploratory testing: Tests are based on the tester's skill, intuition, and experience Data-flow testing: Test interfaces between subsystems Load and performance testing: Capacity and response time) by exercising the system to the maximum load.

6 Risk-Based Testing Risk-based testing addresses negative requirements, which state what a software system should not do. Security test engineers typically look for common mistakes and test suspected weaknesses in the software. Abuse/misuse test are executed. Incident/bugs reports are used.

7 Security Testing Considerations Throughout the SDLC
Unit testing where individual classes, methods, functions, or other relatively small components are tested Integration testing where the goal is to test whether software components work together as they should If the calling function and called function assume that the other system checks the value in a variable. System testing: where the entire system is under test

8 Black-Box Testing Black-box testing uses methods that do not require access to source code. Either the test engineer does not have access or the details of the source code are irrelevant to the properties being tested. Black-box testing focuses on the externally visible behavior (functionality) of the software, such as requirements, protocol specifications, APIs, or even attempted attacks

9 Black-Box Testing Focuses on specific areas such as network security, database security, security subsystems, and Web application security. For example, network security tools include port scanners to identify all active devices connected to the network, services operating on systems connected to the network, and applications running for each identified service.

10 White-box testing Focuses on internal structures or workings of an application Usually done at the unit level. It can test paths within a unit, paths between units during integration, and between subsystems during a system level test. Through this method of test design can uncover many errors or problems. Control flow testing Data flow testing

11 Penetration Testing Allows project managers to assess how an attacker is likely to try to weaken a system. Term "penetration testing" refers to testing the security of a computer system and/or software application by attempting to compromise its security in particular, the security of the underlying operating system and network component configurations.

12 Penetration Testing Tools used in penetration testing today include host-based, network-based, and application scanning Network-based penetration testing follow a process including Target acquisition: test engineer identifies test targets, list of network addresses Inventory: Test all available network services Penetrate: Each identified vulnerability is exploited in an attempt to penetrate the target system Continue: Test engineer obtains access on any of the systems where identified vulnerabilities were exploited and continues the testing process from the network location(s) of each compromised system

13 Summary Thinking the way attackers think
Integrating security testing into the SDLC Using threat modeling to prioritize testing based on risk Building test labs for conducting white, and black-box testing Choosing and using the right tools Executing today's leading attacks, from fault injection to buffer overflows Determining which flaws are most likely to be exploited

Download ppt "Security Testing Methods"

Similar presentations

Unit Testing in the OO Context(Chapter 19-Roger P)

Unit Testing in the OO Context(Chapter 19-Roger P)
Testing and Quality Assurance

Testing and Quality Assurance
Software Fault Injection for Survivability Jeffrey M. Voas & Anup K. Ghosh Presented by Alison Teoh.

Software Fault Injection for Survivability Jeffrey M. Voas & Anup K. Ghosh Presented by Alison Teoh.
CMSC 345, Version 11/07 SD Vick from S. Mitchell Software Testing.

CMSC 345, Version 11/07 SD Vick from S. Mitchell Software Testing.
Penetration Testing Anand Sudula, CISA,CISSP SSA Global Technologies, India Anand Sudula, CISA,CISSP SSA Global Technologies, India.

Penetration Testing Anand Sudula, CISA,CISSP SSA Global Technologies, India Anand Sudula, CISA,CISSP SSA Global Technologies, India.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.

CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)
SELECTING AND IMPLEMENTING VULNERABILITY SCANNER FOR FUN AND PROFIT by Tim Jett and Mike Townes.

SELECTING AND IMPLEMENTING VULNERABILITY SCANNER FOR FUN AND PROFIT by Tim Jett and Mike Townes.
Chapter 11: Testing The dynamic verification of the behavior of a program on a finite set of test cases, suitable selected from the usually infinite execution.

Chapter 11: Testing The dynamic verification of the behavior of a program on a finite set of test cases, suitable selected from the usually infinite execution.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.

Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Secure Software Development SW Penetration Testing Chapter 6 Rasool Jalili & M.S. Dousti Dept. of Computer Engineering Fall 2010.

Secure Software Development SW Penetration Testing Chapter 6 Rasool Jalili & M.S. Dousti Dept. of Computer Engineering Fall 2010.
Categories of Testing.

Categories of Testing.
1 Software Testing (Part-II) Lecture 13. 2 Software Testing Software Testing is the process of finding the bugs in a software. It helps in Verifying and.

1 Software Testing (Part-II) Lecture Software Testing Software Testing is the process of finding the bugs in a software. It helps in Verifying and.
Using Windows Firewall and Windows Defender

Using Windows Firewall and Windows Defender
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.

Similar presentations

Ads by Google