SlideShare a Scribd company logo

Security Testing.pptx

Download as PPTX, PDF
O
osandadeshan

SECURITY TESTING is a type of Software Testing that uncovers vulnerabilities, threats, risks in a software application and prevents malicious attacks from intruders. The purpose of Security Tests is to identify all possible loopholes and weaknesses of the software system which might result in a loss of information, revenue, and repute at the hands of the employees or outsiders of the Organization.

Software
1 of 22
SECURITY TESTING OSANDA NIMALARATHNA
WHAT IS SECURITY TESTING? • SECURITY TESTING is a type of Software Testing that uncovers vulnerabilities, threats, risks in a software application and prevents malicious attacks from intruders. The purpose of Security Tests is to identify all possible loopholes and weaknesses of the software system which might result in a loss of information, revenue, repute at the hands of the employees or outsiders of the Organization.
WHY SECURITY TESTING IS IMPORTAN T? • The main goal of Security Testing is to identify the threats in the system and measure its potential vulnerabilities, so the threats can be encountered, and the system does not stop functioning or can not be exploited. It also helps in detecting all possible security risks in the system and helps developers to fix the problems through coding.
TYPES OF SECURITY TESTING • There are seven main types of security testing as per Open Source Security Testing methodology manual.
TYPES OF SECURITY TESTING Vulnerability Scanning This is done through automated software to scan a system against known vulnerability signatures. Security Scanning It involves identifying network and system weaknesses, and later provides solutions for reducing these risks. This scanning can be performed for both Manual and Automated scanning.
TYPES OF SECURITY TESTING 3. Penetration testing This kind of testing simulates an attack from a malicious hacker. This testing involves analysis of a particular system to check for potential vulnerabilities to an external hacking attempt. 4. Risk Assessment This testing involves analysis of security risks observed in the organization. Risks are classified as Low, Medium and High. This testing recommends controls and measures to reduce the risk. 5. Security Auditing This is an internal inspection of Applications and Operating systems for security flaws. An audit can also be done via line by line inspection of code.
TYPES OF SECURITY TESTING 6. Ethical hacking It's hacking an Organization Software systems. Unlike malicious hackers, who steal for their own gains, the intent is to expose security flaws in the system. 7. Posture Assessment This combines Security scanning, Ethical Hacking and Risk Assessments to show an overall security posture of an organization.
HOW TO DO SECURITY TESTING? • It is always agreed, that cost will be more if we postpone security testing after software implementation phase or after deployment. So, it is necessary to involve security testing in the SDLC life cycle in the earlier phases. • Let's investigate the corresponding Security processes to be adopted for every phase in SDLC
SOFTWARE DEVELOPMEN T LIFE CYCLE SDLC Phases Security Processes Requirements Security analysis for requirements and check abuse/misuse cases Design Security risks analysis for designing. Development of Test Plan including security tests Coding and Unit Testing Static and Dynamic Testing and Security White Box Testing Integration Testing Black Box Testing System Testing Black Box Testing and Vulnerability scanning Implementation Penetration Testing, Vulnerability Scanning Support Impact analysis of Patches
TEST PLAN • The test plan should include, • Security-related test cases or scenarios • Test Data related to security testing • Test Tools required for security testing • Analysis of various tests outputs from different security tools
METHODOLOGIE S/ APPROACH / TECHNIQUES FOR SECURITY TESTING • Tiger Box: This hacking is usually done on a laptop which has a collection of OSs and hacking tools. This testing helps penetration testers and security testers to conduct vulnerabilities assessment and attacks. • Black Box: Tester is authorized to do testing on everything about the network topology and the technology. • Grey Box: Partial information is given to the tester about the system, and it is a hybrid of white and black box models.
EXAMPLE TEST SCENARIO S FOR SECURITY TESTING • A password should be in encrypted format • Application or System should not allow invalid users • Check cookies and session time for application • For financial sites, the Browser back button should not work.
SECURITY TESTING ROLES • Hackers - Access computer system or network without authorization • Crackers - Break into the systems to steal or destroy data • Ethical Hacker - Performs most of the breaking activities but with permission from the owner • Script Kiddies or packet monkeys - Inexperienced Hackers with programming language skill
SECURITY TESTING TOOLS 1) Owasp • The Open Web Application Security Project (OWASP) is a worldwide non-profit organization focused on improving the security of software. The project has multiple tools to pen test various software environments and protocols. Flagship tools of the project include • Zed Attack Proxy (ZAP – an integrated penetration testing tool) • OWASP Dependency Check (it scans for project dependencies and checks against know vulnerabilities) • OWASP Web Testing Environment Project (collection of security tools and documentation)
SECURITY TESTING TOOLS 2) WireShark • Wireshark is a network analysis tool previously known as Ethereal. It captures packet in real time and display them in human readable format. Basically, it is a network packet analyzer- which provides the minute details about your network protocols, decryption, packet information, etc. It is an open source and can be used on Linux, Windows, OS X, Solaris, NetBSD, FreeBSD and many other systems. The information that is retrieved via this tool can be viewed through a GUI or the TTY mode TShark Utility.
SECURITY TESTING TOOLS 2) W3af • w3af is a web application attack and audit framework. It has three types of plugins; discovery, audit and attack that communicate with each other for any vulnerabilities in site, for example a discovery plugin in w3af looks for different url's to test for vulnerabilities and forward it to the audit plugin which then uses these URL's to search for vulnerabilities.
MYTHS AND FACTS OF SECURITY TESTING Myth #1: We don't need a security policy as we have a small business. Fact: Everyone and every company need a security policy.
MYTHS AND FACTS OF SECURITY TESTING Myth #2: There is no return on investment in security testing. Fact: Security Testing can point out areas for improvement that can improve efficiency and reduce downtime, enabling maximum throughput.
MYTHS AND FACTS OF SECURITY TESTING Myth #3: Only way to secure is to unplug it. Fact: The only and the best way to secure an organization is to find "Perfect Security". Perfect security can be achieved by performing a posture assessment and compare with business, legal and industry justifications.
MYTHS AND FACTS OF SECURITY TESTING Myth #4: The Internet isn't safe. I will purchase software or hardware to safeguard the system and save the business. Fact: One of the biggest problems is to purchase software and hardware for security. Instead, the organization should understand security first and then apply it.
CONCLUSIO N • Security testing is the most important testing for an application and checks whether confidential data stays confidential. In this type of testing, tester plays a role of the attacker and play around the system to find security- related bugs. Security Testing is very important in Software Engineering to protect data.
THANK YOU

Recommended

Security Testing
Security TestingSecurity Testing
Security TestingQualitest
 
Security testing
Security testingSecurity testing
Security testingbaskar p
 
Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?ONE BCG
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test ProfessionalsTechWell
 
Owasp zap
Owasp zapOwasp zap
Owasp zapColdFusionConference
 

Recommended

Security Testing
Security TestingSecurity Testing
Security TestingQualitest
 
Security testing
Security testingSecurity testing
Security testingbaskar p
 
Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?ONE BCG
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test ProfessionalsTechWell
 
Owasp zap
Owasp zapOwasp zap
Owasp zapColdFusionConference
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review ProcessSherif Koussa
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentalsCygnet Infotech
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLCTjylen Veselyj
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Security Testing
Security TestingSecurity Testing
Security TestingKiran Kumar
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021Adam Shostack
 
SecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of SecuritySecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of SecurityDinis Cruz
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
The Art of Penetration Testing in Cybersecurity.
The Art of Penetration Testing in Cybersecurity.The Art of Penetration Testing in Cybersecurity.
The Art of Penetration Testing in Cybersecurity.Expeed Software
 
Software security testing
Software security testingSoftware security testing
Software security testingnehabsairam
 

More Related Content

What's hot

SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review ProcessSherif Koussa
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentalsCygnet Infotech
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLCTjylen Veselyj
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Security Testing
Security TestingSecurity Testing
Security TestingKiran Kumar
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021Adam Shostack
 
SecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of SecuritySecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of SecurityDinis Cruz
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 

What's hot (20)

SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review Process
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentation
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentals
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLC
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
Security Testing
Security TestingSecurity Testing
Security Testing
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
 
SecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of SecuritySecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of Security
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
 

Similar to Security Testing.pptx

The Art of Penetration Testing in Cybersecurity.
The Art of Penetration Testing in Cybersecurity.The Art of Penetration Testing in Cybersecurity.
The Art of Penetration Testing in Cybersecurity.Expeed Software
 
Software security testing
Software security testingSoftware security testing
Software security testingnehabsairam
 
Best Practices, Types, and Tools for Security Testing in 2023.docx
Best Practices, Types, and Tools for Security Testing in 2023.docxBest Practices, Types, and Tools for Security Testing in 2023.docx
Best Practices, Types, and Tools for Security Testing in 2023.docxAfour tech
 
A Brief Introduction to Penetration Testing
A Brief Introduction to Penetration TestingA Brief Introduction to Penetration Testing
A Brief Introduction to Penetration TestingEC-Council
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Mykhailo Antonishyn
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSoftServe
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityAnne Oikarinen
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martindrewz lin
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Michael Hidalgo
 
Cybersecurity overview - Open source compliance seminar
Cybersecurity overview - Open source compliance seminarCybersecurity overview - Open source compliance seminar
Cybersecurity overview - Open source compliance seminarRogue Wave Software
 
Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfAmeliaJonas2
 
(VAPT) Vulnerability Assessment And Penetration Testing
(VAPT) Vulnerability Assessment And Penetration Testing(VAPT) Vulnerability Assessment And Penetration Testing
(VAPT) Vulnerability Assessment And Penetration TestingBluechip Gulf IT Services
 
Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentationAlan Holyoke
 
Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerShivamSharma909
 
Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51martinvoelk
 

Similar to Security Testing.pptx (20)

The Art of Penetration Testing in Cybersecurity.
The Art of Penetration Testing in Cybersecurity.The Art of Penetration Testing in Cybersecurity.
The Art of Penetration Testing in Cybersecurity.
 
Software security testing
Software security testingSoftware security testing
Software security testing
 
Best Practices, Types, and Tools for Security Testing in 2023.docx
Best Practices, Types, and Tools for Security Testing in 2023.docxBest Practices, Types, and Tools for Security Testing in 2023.docx
Best Practices, Types, and Tools for Security Testing in 2023.docx
 
A Brief Introduction to Penetration Testing
A Brief Introduction to Penetration TestingA Brief Introduction to Penetration Testing
A Brief Introduction to Penetration Testing
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar Tymoshyk
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
 
Backtrack manual Part1
Backtrack manual Part1Backtrack manual Part1
Backtrack manual Part1
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
 
Cybersecurity overview - Open source compliance seminar
Cybersecurity overview - Open source compliance seminarCybersecurity overview - Open source compliance seminar
Cybersecurity overview - Open source compliance seminar
 
Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdf
 
(VAPT) Vulnerability Assessment And Penetration Testing
(VAPT) Vulnerability Assessment And Penetration Testing(VAPT) Vulnerability Assessment And Penetration Testing
(VAPT) Vulnerability Assessment And Penetration Testing
 
Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentation
 
Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answer
 
Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51Why Penetration Tests Are Important Cyber51
Why Penetration Tests Are Important Cyber51
 

Recently uploaded

Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
How to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfHow to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfLivetecs LLC
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfStefano Stabellini
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 

Recently uploaded (20)

Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
How to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfHow to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdf
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdf
 
2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 

Security Testing.pptx

  • 2. WHAT IS SECURITY TESTING? • SECURITY TESTING is a type of Software Testing that uncovers vulnerabilities, threats, risks in a software application and prevents malicious attacks from intruders. The purpose of Security Tests is to identify all possible loopholes and weaknesses of the software system which might result in a loss of information, revenue, repute at the hands of the employees or outsiders of the Organization.
  • 3. WHY SECURITY TESTING IS IMPORTAN T? • The main goal of Security Testing is to identify the threats in the system and measure its potential vulnerabilities, so the threats can be encountered, and the system does not stop functioning or can not be exploited. It also helps in detecting all possible security risks in the system and helps developers to fix the problems through coding.
  • 4. TYPES OF SECURITY TESTING • There are seven main types of security testing as per Open Source Security Testing methodology manual.
  • 5. TYPES OF SECURITY TESTING Vulnerability Scanning This is done through automated software to scan a system against known vulnerability signatures. Security Scanning It involves identifying network and system weaknesses, and later provides solutions for reducing these risks. This scanning can be performed for both Manual and Automated scanning.
  • 6. TYPES OF SECURITY TESTING 3. Penetration testing This kind of testing simulates an attack from a malicious hacker. This testing involves analysis of a particular system to check for potential vulnerabilities to an external hacking attempt. 4. Risk Assessment This testing involves analysis of security risks observed in the organization. Risks are classified as Low, Medium and High. This testing recommends controls and measures to reduce the risk. 5. Security Auditing This is an internal inspection of Applications and Operating systems for security flaws. An audit can also be done via line by line inspection of code.
  • 7. TYPES OF SECURITY TESTING 6. Ethical hacking It's hacking an Organization Software systems. Unlike malicious hackers, who steal for their own gains, the intent is to expose security flaws in the system. 7. Posture Assessment This combines Security scanning, Ethical Hacking and Risk Assessments to show an overall security posture of an organization.
  • 8. HOW TO DO SECURITY TESTING? • It is always agreed, that cost will be more if we postpone security testing after software implementation phase or after deployment. So, it is necessary to involve security testing in the SDLC life cycle in the earlier phases. • Let's investigate the corresponding Security processes to be adopted for every phase in SDLC
  • 9. SOFTWARE DEVELOPMEN T LIFE CYCLE SDLC Phases Security Processes Requirements Security analysis for requirements and check abuse/misuse cases Design Security risks analysis for designing. Development of Test Plan including security tests Coding and Unit Testing Static and Dynamic Testing and Security White Box Testing Integration Testing Black Box Testing System Testing Black Box Testing and Vulnerability scanning Implementation Penetration Testing, Vulnerability Scanning Support Impact analysis of Patches
  • 10. TEST PLAN • The test plan should include, • Security-related test cases or scenarios • Test Data related to security testing • Test Tools required for security testing • Analysis of various tests outputs from different security tools
  • 11. METHODOLOGIE S/ APPROACH / TECHNIQUES FOR SECURITY TESTING • Tiger Box: This hacking is usually done on a laptop which has a collection of OSs and hacking tools. This testing helps penetration testers and security testers to conduct vulnerabilities assessment and attacks. • Black Box: Tester is authorized to do testing on everything about the network topology and the technology. • Grey Box: Partial information is given to the tester about the system, and it is a hybrid of white and black box models.
  • 12. EXAMPLE TEST SCENARIO S FOR SECURITY TESTING • A password should be in encrypted format • Application or System should not allow invalid users • Check cookies and session time for application • For financial sites, the Browser back button should not work.
  • 13. SECURITY TESTING ROLES • Hackers - Access computer system or network without authorization • Crackers - Break into the systems to steal or destroy data • Ethical Hacker - Performs most of the breaking activities but with permission from the owner • Script Kiddies or packet monkeys - Inexperienced Hackers with programming language skill
  • 14. SECURITY TESTING TOOLS 1) Owasp • The Open Web Application Security Project (OWASP) is a worldwide non-profit organization focused on improving the security of software. The project has multiple tools to pen test various software environments and protocols. Flagship tools of the project include • Zed Attack Proxy (ZAP – an integrated penetration testing tool) • OWASP Dependency Check (it scans for project dependencies and checks against know vulnerabilities) • OWASP Web Testing Environment Project (collection of security tools and documentation)
  • 15. SECURITY TESTING TOOLS 2) WireShark • Wireshark is a network analysis tool previously known as Ethereal. It captures packet in real time and display them in human readable format. Basically, it is a network packet analyzer- which provides the minute details about your network protocols, decryption, packet information, etc. It is an open source and can be used on Linux, Windows, OS X, Solaris, NetBSD, FreeBSD and many other systems. The information that is retrieved via this tool can be viewed through a GUI or the TTY mode TShark Utility.
  • 16. SECURITY TESTING TOOLS 2) W3af • w3af is a web application attack and audit framework. It has three types of plugins; discovery, audit and attack that communicate with each other for any vulnerabilities in site, for example a discovery plugin in w3af looks for different url's to test for vulnerabilities and forward it to the audit plugin which then uses these URL's to search for vulnerabilities.
  • 17. MYTHS AND FACTS OF SECURITY TESTING Myth #1: We don't need a security policy as we have a small business. Fact: Everyone and every company need a security policy.
  • 18. MYTHS AND FACTS OF SECURITY TESTING Myth #2: There is no return on investment in security testing. Fact: Security Testing can point out areas for improvement that can improve efficiency and reduce downtime, enabling maximum throughput.
  • 19. MYTHS AND FACTS OF SECURITY TESTING Myth #3: Only way to secure is to unplug it. Fact: The only and the best way to secure an organization is to find "Perfect Security". Perfect security can be achieved by performing a posture assessment and compare with business, legal and industry justifications.
  • 20. MYTHS AND FACTS OF SECURITY TESTING Myth #4: The Internet isn't safe. I will purchase software or hardware to safeguard the system and save the business. Fact: One of the biggest problems is to purchase software and hardware for security. Instead, the organization should understand security first and then apply it.
  • 21. CONCLUSIO N • Security testing is the most important testing for an application and checks whether confidential data stays confidential. In this type of testing, tester plays a role of the attacker and play around the system to find security- related bugs. Security Testing is very important in Software Engineering to protect data.