Your SlideShare is downloading. ×
Software Security Testing
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Software Security Testing

454
views

Published on

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
454
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Software Security TestingVinay Srinivasansrinivasan_vinay@yahoo.comvinay.srinivasan@techmahindra.comcell: +91 9823104620
  • 2. By Vinay Srinivasan (Tech Lead) Working AtTesting Center of Excellence Laboratory, TechMahindra, Pune
  • 3. Secure Software Confidentiality  Disclosure of information to only intended parties Integrity  Determine whether the information is correct or not Data Security  Privacy  Data Protection  Controlled Access Authentication  Access to Authorized People  Availability  Ready for Use when expected  Non Repudiation  Information Exchange with proof
  • 4. Software Security Security of Operating System Security of Client Software Security of Application Software Security of System Software Security of Database Software Security of Software Data Security of Client Data Security of System Data Security of Server Software Security of Network Software
  • 5. Why Security Testing For Finding Loopholes For Zeroing IN on Vulnerabilities For identifying Design Insecurities For identifying Implementation Insecurities For identifying Dependency Insecurities and Failures For Information Security For Process Security For Internet Technology Security For Communication Security For Improving the System For confirming Security Policies For Organization wide Software Security For Physical Security
  • 6. Approach to Software Security Testing Study of Security Architecture Analysis of Security Requirements Classifying Security Testing Developing Objectives Threat Modeling Test Planning Execution Reports
  • 7. Security Testing Techniques OS Hardening  Configure and Apply Patches  Updating the Operating System  Disable or Restrict unwanted Services and Ports  Lock Down the Ports  Manage the Log Files  Install Root Certificate  Protect from Internet Misuse and be Cyber Safe  Protect from Malware Vulnerability Scanning  Identify Known Vulnerabilities  Scan Intrusively for Unknown Vulnerabilities
  • 8. Security Testing Techniques (continued…) Penetration Testing  Simulating Attack from a Malicious Source  Includes Network Scanning and Vulnerability Scanning  Simulates Attack from someone Unfamiliar with the System  Simulates Attack by having access to Source Code, Network, Passwords Port Scanning and Service Mapping  Identification and locating of Open Ports  Identification of Running Services Firewall Rule Testing  Identify Inappropriate or Conflicting Rules  Appropriate Placement of Vulnerable Systems behind Firewall  Discovering Administrative Backdoors or Tunnels SQL Injection  Exploits Database Layer Security Vulnerability  Unexpected Execution of User Inputs
  • 9. Security Testing Techniques (continued…) Cross Side Scripting  Injecting Malicious Client Side Script into Web Pages  Persistent, Non-Persistent and DOM based Vulnerabilities Parameter Manipulation  Cookie Manipulation  Form Field Manipulation  URL Manipulation  HTTP Header Manipulation Denial of Service Testing  Flooding a target machine with enough traffic to make it incapable Command Injection  Inject and execute commands specified by the attacker  Execute System level commands through a Vulnerable Application
  • 10. Security Testing Techniques (continued…) Network Scanning  Identifying Active Hosts on a network  Collecting IP addresses that can be accessed over the Internet  Collecting OS Details, System Architecture and Running Services  Collecting Network User and Group names  Collecting Routing Tables and SNMP data Password Cracking  Collecting Passwords from the Stored or Transmitted Data  Using Brute Force and Dictionary Attacks  Identifying Weak Passwords Ethical Hacking  Penetration Testing, Intrusion Testing and Red Teaming File Integrity Testing  Verifying File Integrity against corruption using Checksum
  • 11. Security Testing Techniques (continued…) War Dialing  Using a Modem to dial a list of Telephone Numbers  Searching for Computers, Bulletin Board System and Fax Machines Wireless LAN Testing  Searching for existing WLAN and logging Wireless Access Points Buffer Overflow Testing  Overwriting of Memory fragments of the Process, Buffers of Char type Format String Testing  Supplying Format type specifiers in the Application input Random Data Testing  Random Data Inputs by a Program  Encoded Random Data included as Parameters  Crashing built-in code Assertions
  • 12. Security Testing Techniques (continued…) Random Mutation Testing  Bit Flipping of known Legitimate Data  Byte stream Sliding within known Legitimate Data Session Hijacking  Exploitation of Valid Computer Session  Exploitation of the Web Session control mechanism  Gain unauthorized access to the Web Server Phishing  Masquerading as a trustworthy entity in an electronic communication  Acquiring usernames, passwords and credit card details URL Manipulation  Make a web server Deliver inaccessible web pages  URL Rewriting
  • 13. Security Testing Techniques (continued…) IP Spoofing  Creating Internet Protocol (IP) packets with a forged source IP address Packet Sniffing  Capture and Analyze all of the Network traffic Virtual Private Network Testing  Penetration Testing Social Engineering  Psychological Manipulation of People  Divulging confidential information
  • 14. Conclusion Analyze potential Threat and its Impact Complete Security Testing may not be Feasible Collect Information to Secure Business Environment Should be done as early as possible in the Dev.. Cycle Should be able to identify the Security Requirements Have Specific understanding of the Various Processes Should provide Recommendations to overcome Weakness
  • 15. Thank You
  • 16. Contact Details  Email :  vinay.srinivasan@techmahindra.com  srinivasan_vinay@yahoo.com  Phone :  +91-20-42250000 Extn : 25392 5 / 253926  +91-20-66550000 Extn : 25392 5 / 253926  +91-9823104620  Fax :  +91-20-42252501  +91-20-66552501