Security testing


Published on

Published in: Technology
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Security testing

  1. 1. Baskar P
  2. 2. Agenda <ul><li>What is Security Testing </li></ul><ul><li>Purpose of Security Testing </li></ul><ul><li>Basic Security Testing Concepts </li></ul><ul><li>Security Testing Techniques </li></ul><ul><li>Security Testing Tools </li></ul>
  3. 3. What is Security Testing <ul><li>Security testing is a process to determine that an information system protects data and maintains functionality. </li></ul><ul><li>To check whether there is any information leakage. </li></ul><ul><li>To test the application whether it has unauthorized access and having the encoded security code. </li></ul><ul><li>To finding out all the potential loopholes and weaknesses of the system. </li></ul>
  4. 4. Purpose of Security Testing <ul><li>Primary purpose of security testing is to identify the vulnerabilities and subsequently repairing them. </li></ul><ul><li>Security Testing helps in improving the current system and also helps in ensuring that the system will work for longer time. </li></ul><ul><li>Security test helps in finding out loopholes that can cause loss of important information. </li></ul>
  5. 6. Six basic security concepts <ul><ul><li>Confidentiality </li></ul></ul><ul><ul><li>Integrity </li></ul></ul><ul><ul><li>Authentication </li></ul></ul><ul><ul><li>Authorization </li></ul></ul><ul><ul><li>Availability </li></ul></ul><ul><ul><li>Non-repudiation </li></ul></ul>
  6. 7. Basic security concepts <ul><li>Confidentiality </li></ul><ul><li>Ensuring information is accessible only for those with authorized access and to prevent information theft. </li></ul><ul><li>Integrity </li></ul><ul><li>A measure intended to allow the receiver to determine that the information which it is providing is correct. </li></ul><ul><li>Authentication </li></ul><ul><li>The process of establishing the identity of the user. </li></ul>
  7. 8. Basic security concepts (Cont..) <ul><li>Authorization </li></ul><ul><li>The process of determining that a requester is allowed to receive a service or perform an operation. </li></ul><ul><li>Availability </li></ul><ul><li>Assuring information and communications services will be ready for use when expected. </li></ul><ul><li>Non-repudiation </li></ul><ul><li>A measure intended to prevent the later denial that an action happened, or a communication that took place etc. </li></ul>
  8. 9. Security Testing Techniques <ul><li>Main security testing techniques are: </li></ul><ul><ul><li>Vulnerability Scanning </li></ul></ul><ul><ul><li>Security Scanning </li></ul></ul><ul><ul><li>Penetration Testing </li></ul></ul><ul><ul><li>Ethical Hacking </li></ul></ul><ul><ul><li>Risk Assessment </li></ul></ul><ul><ul><li>Security Auditing </li></ul></ul><ul><ul><li>Posture Assessment & Security Testing </li></ul></ul><ul><ul><li>Password cracking </li></ul></ul>
  9. 10. <ul><li>Vulnerability Scanning </li></ul><ul><li>It involves scanning of the application for all known vulnerabilities. </li></ul><ul><li>A computer program designed to assess computers, computer systems, networks or applications for weaknesses. </li></ul><ul><li>Generally done through various vulnerability scanning software. Ex : Nessus, Sara, and ISS. </li></ul><ul><li>Security Scanning </li></ul><ul><li>Scanning and verification of the system and applications. </li></ul><ul><li>Find out the weaknesses in the OS, applications and networks. </li></ul>
  10. 11. <ul><li>Penetration Testing </li></ul><ul><li>Tester may try to enter into the application / system with the help of some other application or with the help of combinations of loopholes that the application has kept open unknowingly. </li></ul><ul><li>It is the most effective way to practically find out potential loopholes in the application. </li></ul><ul><li>Ethical Hacking </li></ul><ul><li>Ethical Hacking involves number of penetration tests over the wide network on the system under test. It is conducted by ethical hackers to find possible problems in the system. </li></ul>
  11. 12. <ul><li>Risk Assessment </li></ul><ul><li>Is a method of analyzing and deciding the risk that depends upon the type of loss and the possibility / probability of loss occurrence. </li></ul><ul><li>Risk assessment is carried out in the form of various interviews, discussions and analysis of the same. </li></ul><ul><li>Security Auditing </li></ul><ul><li>Security Auditing involves hands on internal inspection of Operating Systems and Applications, often via line-by-line inspection of the code. </li></ul><ul><li>A security audit is a systematic evaluation of the security of a company's information system. </li></ul>
  12. 13. <ul><li>Posture Assessment and Security Testing </li></ul><ul><li>It combines Security Scanning, Ethical Hacking and Risk Assessments to show an overall Security Posture of the organization. </li></ul><ul><li>Password Cracking </li></ul><ul><li>Password cracking programs can be used to identify weak passwords. </li></ul><ul><li>Password cracking verifies that users are employing sufficiently strong passwords. </li></ul>
  13. 14. How to write Security test cases <ul><li>It is important to segregate based on Roles. </li></ul><ul><li>We need to delve into the negative scenario for a particular event initially before taking up the positive scenarios. </li></ul>
  14. 15. Security Testing Tools <ul><li>Nessus </li></ul><ul><li>Nikto </li></ul><ul><li>Gendarme </li></ul><ul><li>Flawfinder </li></ul>