SlideShare a Scribd company logo
Introduction to
Security Testing
Prepared By
Rajakrishnan Sadasivan, MCA MBA PMP CSM ITIL ISTQB(Advanced)
What is Security Testing
• Security testing is a process intended to reveal flaws in the security
mechanisms of an information system that protect data and maintain
functionality as intended. (Wikipedia).
• Security Testing is the process of identifying the vulnerabilities and
use that vulnerability to penetrate to the application to identify the
impact of it.
Elements of Security Testing
Confidentiality disclosure of information to parties other than the
intended recipient
Integrity protecting information from being modified by
unauthorized parties
Authentication It involves confirming the identity of a person
Availability Information must be kept available to authorized
persons when they need it.
Authorisation The process of determining that a requester is allowed
to receive a service or perform an operation
Ex: Access Control/Roles
Non-reputation Non-repudiation is a way to guarantee that the
sender of a message cannot later deny having sent the
message and that the recipient cannot deny having
received the message.
Security Testing Process
Analysis &
Planning
Vulnerability
Scanning
Vulnerability
Assessment
Penetration
(Attack)
Test Report
*Source: Created by Raj
Security Testing Process
Process Description
Analysis and Planning It is the phase where the security tester/Organisation
gather information about the items under test such as
application, Infrastructure, company security policy
etc.
A security test plan will be derived based on the
analysis
Vulnerability Scanning Vulnerability scanning will be done to identify the
vulnerable points both application level and network
level
Vulnerability Assessment Vulnerability Assessment will be performed based on
the vulnerability scanning result to summaries the
possible vulnerable areas
Penetration (Attack) Security tester tries to penetrate through the
vulnerable points to identify the impact of it
Test Report Penetration test report will be generated
Types of Security Testing
• Static Application Security Testing(SAST)
• SAST includes application security testing to identify the vulnerabilities of the application and test the impact of such vulnerabilities by trying to penetrate through those
vulnerabilities in code level
• It is usually done by developers
• It is done with Open source Or commercial tools
• Dynamic Application Security Testing (DAST)
• DAST includes application security testing to identify the vulnerabilities of the application and test the impact of such vulnerabilities by trying to penetrate through those
vulnerabilities
• It is usually done from inside the network
• It is done with Open source Or commercial tools
• Penetration Testing(PEN)
• Penetration testing typically includes network penetration testing and application security testing as well as controls and processes around the networks and
applications
• It is more comprehensive than DAST
• It is done both from inside and outside the network
• It is mostly done with powerful commercial tools
• Vulnerability Assessment vs PEN Testing
• A vulnerability assessment simply identifies and reports noted vulnerabilities, whereas a penetration test attempts to exploit the vulnerabilities to determine whether
unauthorized access or other malicious activity is possible.
Best Practices
• Security testing will be conducted in an isolated environment which is
similar to production environment setup
• Testing to be conducted from both internal and external networks
• Database backups to be taken before PEN TEST starts
OWASP
• Open Web Application Security Project(OWASP)
• The Open Web Application Security Project (OWASP) is
a 501(c)(3) worldwide not-for-profit charitable organization focused
on improving the security of software
• It is an online community, produces freely-available articles,
methodologies, documentation, tools, and technologies in the field
of web application security
• OWASP Top Ten regularly published every year which list the top 10
vulnerabilities for the web application
OWASP TOP 10- 2018
Top 10 Description
Injection Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted
data is sent to an interpreter as part of a command or query. The attacker’s hostile
data can trick the interpreter into executing unintended commands or accessing
data without proper authorization.
Broken Authentication Application functions related to authentication and session management are often
implemented incorrectly, allowing attackers to compromise passwords, keys, or
session tokens, or to exploit other implementation flaws to assume other users’
identities temporarily or permanently.
Sensitive Data Exposure Many web applications and APIs do not properly protect sensitive data, such as
financial, healthcare, and PII. Attackers may steal or modify such weakly protected
data to conduct credit card fraud, identity theft, or other crimes.
Insufficient Logging & Monitoring Insufficient logging and monitoring, coupled with missing or ineffective integration
with incident response, allows attackers to further attack systems, maintain
persistence, pivot to more systems, and tamper, extract, or destroy data.
Broken Access Control Restrictions on what authenticated users are allowed to do are often not properly
enforced. Attackers can exploit these flaws to access unauthorized functionality
and/or data, such as access other users' accounts, view sensitive files, modify other
users’ data, change access rights, etc.
OWASP TOP 10- 2018
Top 10 Description
Security Misconfiguration Security misconfiguration is the most commonly seen issue. This is commonly a
result of insecure default configurations, incomplete or ad hoc configurations,
open cloud storage, misconfigured HTTP headers, and verbose error messages
containing sensitive information. Not only must all operating systems, frameworks,
libraries, and applications be securely configured, but they must be patched and
upgraded in a timely fashion.
Cross-Site Scripting (XSS) XSS flaws occur whenever an application includes untrusted data in a new web
page without proper validation or escaping, or updates an existing web page with
user-supplied data using a browser API that can create HTML or JavaScript. XSS
allows attackers to execute scripts in the victim’s browser which can hijack user
sessions, deface web sites, or redirect the user to malicious sites.
Insecure Deserialization Insecure deserialization often leads to remote code execution
Using Components with Known Vulnerabilities Components, such as libraries, frameworks, and other software modules, run with
the same privileges as the application. Applications and APIs using components
with known vulnerabilities may undermine application defenses and enable
various attacks and impacts.
Insufficient Logging & Monitoring Insufficient logging and monitoring, coupled with missing or ineffective integration
with incident response, allows attackers to further attack systems, maintain
persistence, pivot to more systems, and tamper, extract, or destroy data.
Security Testing Tools
• Open source Tools
• DAST
• OWASP ZAP
• https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
• SAST
• SonarQube
• https://www.owasp.org/index.php/OWASP_SonarQube_Project
• Reference
• https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools
References
• www.Wikipedia.org
• https://www.veracode.com
• https://www.owasp.org/index.php/Main_Page
• https://www.owasp.org/index.php/Category:Vulnerability_Scanning_
Tools
• https://www.owasp.org/images/7/72/OWASP_Top_10-
2017_%28en%29.pdf.pdf

More Related Content

What's hot

Security Testing
Security TestingSecurity Testing
Security Testing
Qualitest
 
Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01
Richard Sullivan
 
Security testing
Security testingSecurity testing
Security testing
Tabăra de Testare
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Cybersecurity Education and Research Centre
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
Abdul Rahman Sherzad
 
Security testing
Security testingSecurity testing
Security testing
Khizra Sammad
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Jannis Kirschner
 
Owasp
Owasp Owasp
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
YasserElsnbary
 
OTG - Practical Hands on VAPT
OTG - Practical Hands on VAPTOTG - Practical Hands on VAPT
OTG - Practical Hands on VAPT
shiriskumar
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test Professionals
TechWell
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentation
Confiz
 
we45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Study
we45
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
Ashwini Paranjpe
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
Alwin Thayyil
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
HackerOne
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
ibrahimumer2
 
A new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkA new web application vulnerability assessment framework
A new web application vulnerability assessment framework
Mark Jayson Fuentes
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing
RomSoft SRL
 
Step by step guide for web application security testing
Step by step guide for web application security testingStep by step guide for web application security testing
Step by step guide for web application security testing
Avyaan, Web Security Company in India
 

What's hot (20)

Security Testing
Security TestingSecurity Testing
Security Testing
 
Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01
 
Security testing
Security testingSecurity testing
Security testing
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
 
Security testing
Security testingSecurity testing
Security testing
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
Owasp
Owasp Owasp
Owasp
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
 
OTG - Practical Hands on VAPT
OTG - Practical Hands on VAPTOTG - Practical Hands on VAPT
OTG - Practical Hands on VAPT
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test Professionals
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentation
 
we45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Study
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 
A new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkA new web application vulnerability assessment framework
A new web application vulnerability assessment framework
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing
 
Step by step guide for web application security testing
Step by step guide for web application security testingStep by step guide for web application security testing
Step by step guide for web application security testing
 

Similar to Introduction to security testing raj

Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
drewz lin
 
Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdf
AmeliaJonas2
 
Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answer
ShivamSharma909
 
Owasp Top 10-2013
Owasp Top 10-2013Owasp Top 10-2013
OWASP Top 10 Project
OWASP Top 10 ProjectOWASP Top 10 Project
OWASP Top 10 Project
Muhammad Shehata
 
Application security testing an integrated approach
Application security testing   an integrated approachApplication security testing   an integrated approach
Application security testing an integrated approach
Idexcel Technologies
 
Best Security Practices for Web Application Development.pdf
Best Security Practices for Web Application Development.pdfBest Security Practices for Web Application Development.pdf
Best Security Practices for Web Application Development.pdf
Digital Auxilio Technologies
 
Introduction All research reports begin with an introduction. (.docx
Introduction All research reports begin with an introduction. (.docxIntroduction All research reports begin with an introduction. (.docx
Introduction All research reports begin with an introduction. (.docx
vrickens
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
Zakaria SMAHI
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
Prateek Jain
 
C01461422
C01461422C01461422
C01461422
IOSR Journals
 
OWASP Top 10 List Overview for Web Developers
OWASP Top 10 List Overview for Web DevelopersOWASP Top 10 List Overview for Web Developers
OWASP Top 10 List Overview for Web Developers
Benjamin Floyd
 
information system security --internet cyber security
information system security --internet cyber securityinformation system security --internet cyber security
information system security --internet cyber security
VivekSinghShekhawat2
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
QA or the Highway
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
QA or the Highway
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
Hina Rawal
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threats
Vishal Kumar
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10  -2007Application Security Vulnerabilities: OWASP Top 10  -2007
Application Security Vulnerabilities: OWASP Top 10 -2007
Vaibhav Gupta
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
Michael Hidalgo
 
Best Practices, Types, and Tools for Security Testing in 2023.docx
Best Practices, Types, and Tools for Security Testing in 2023.docxBest Practices, Types, and Tools for Security Testing in 2023.docx
Best Practices, Types, and Tools for Security Testing in 2023.docx
Afour tech
 

Similar to Introduction to security testing raj (20)

Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
 
Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdf
 
Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answer
 
Owasp Top 10-2013
Owasp Top 10-2013Owasp Top 10-2013
Owasp Top 10-2013
 
OWASP Top 10 Project
OWASP Top 10 ProjectOWASP Top 10 Project
OWASP Top 10 Project
 
Application security testing an integrated approach
Application security testing   an integrated approachApplication security testing   an integrated approach
Application security testing an integrated approach
 
Best Security Practices for Web Application Development.pdf
Best Security Practices for Web Application Development.pdfBest Security Practices for Web Application Development.pdf
Best Security Practices for Web Application Development.pdf
 
Introduction All research reports begin with an introduction. (.docx
Introduction All research reports begin with an introduction. (.docxIntroduction All research reports begin with an introduction. (.docx
Introduction All research reports begin with an introduction. (.docx
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
C01461422
C01461422C01461422
C01461422
 
OWASP Top 10 List Overview for Web Developers
OWASP Top 10 List Overview for Web DevelopersOWASP Top 10 List Overview for Web Developers
OWASP Top 10 List Overview for Web Developers
 
information system security --internet cyber security
information system security --internet cyber securityinformation system security --internet cyber security
information system security --internet cyber security
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threats
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10  -2007Application Security Vulnerabilities: OWASP Top 10  -2007
Application Security Vulnerabilities: OWASP Top 10 -2007
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
 
Best Practices, Types, and Tools for Security Testing in 2023.docx
Best Practices, Types, and Tools for Security Testing in 2023.docxBest Practices, Types, and Tools for Security Testing in 2023.docx
Best Practices, Types, and Tools for Security Testing in 2023.docx
 

Recently uploaded

Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
XfilesPro
 
Webinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for EmbeddedWebinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for Embedded
ICS
 
Malibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed RoundMalibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed Round
sjcobrien
 
ACE - Team 24 Wrapup event at ahmedabad.
ACE - Team 24 Wrapup event at ahmedabad.ACE - Team 24 Wrapup event at ahmedabad.
ACE - Team 24 Wrapup event at ahmedabad.
Maitrey Patel
 
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
safelyiotech
 
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsUI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
Peter Muessig
 
Project Management: The Role of Project Dashboards.pdf
Project Management: The Role of Project Dashboards.pdfProject Management: The Role of Project Dashboards.pdf
Project Management: The Role of Project Dashboards.pdf
Karya Keeper
 
The Rising Future of CPaaS in the Middle East 2024
The Rising Future of CPaaS in the Middle East 2024The Rising Future of CPaaS in the Middle East 2024
The Rising Future of CPaaS in the Middle East 2024
Yara Milbes
 
Oracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptxOracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptx
Remote DBA Services
 
INTRODUCTION TO AI CLASSICAL THEORY TARGETED EXAMPLES
INTRODUCTION TO AI CLASSICAL THEORY TARGETED EXAMPLESINTRODUCTION TO AI CLASSICAL THEORY TARGETED EXAMPLES
INTRODUCTION TO AI CLASSICAL THEORY TARGETED EXAMPLES
anfaltahir1010
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
Green Software Development
 
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
Grant Fritchey
 
Modelling Up - DDDEurope 2024 - Amsterdam
Modelling Up - DDDEurope 2024 - AmsterdamModelling Up - DDDEurope 2024 - Amsterdam
Modelling Up - DDDEurope 2024 - Amsterdam
Alberto Brandolini
 
Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)
Julian Hyde
 
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Paul Brebner
 
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSISDECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
Tier1 app
 
UI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design SystemUI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design System
Peter Muessig
 
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
kgyxske
 
14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision
ShulagnaSarkar2
 
一比一原版(USF毕业证)旧金山大学毕业证如何办理
一比一原版(USF毕业证)旧金山大学毕业证如何办理一比一原版(USF毕业证)旧金山大学毕业证如何办理
一比一原版(USF毕业证)旧金山大学毕业证如何办理
dakas1
 

Recently uploaded (20)

Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
 
Webinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for EmbeddedWebinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for Embedded
 
Malibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed RoundMalibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed Round
 
ACE - Team 24 Wrapup event at ahmedabad.
ACE - Team 24 Wrapup event at ahmedabad.ACE - Team 24 Wrapup event at ahmedabad.
ACE - Team 24 Wrapup event at ahmedabad.
 
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
 
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsUI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
 
Project Management: The Role of Project Dashboards.pdf
Project Management: The Role of Project Dashboards.pdfProject Management: The Role of Project Dashboards.pdf
Project Management: The Role of Project Dashboards.pdf
 
The Rising Future of CPaaS in the Middle East 2024
The Rising Future of CPaaS in the Middle East 2024The Rising Future of CPaaS in the Middle East 2024
The Rising Future of CPaaS in the Middle East 2024
 
Oracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptxOracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptx
 
INTRODUCTION TO AI CLASSICAL THEORY TARGETED EXAMPLES
INTRODUCTION TO AI CLASSICAL THEORY TARGETED EXAMPLESINTRODUCTION TO AI CLASSICAL THEORY TARGETED EXAMPLES
INTRODUCTION TO AI CLASSICAL THEORY TARGETED EXAMPLES
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
 
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
 
Modelling Up - DDDEurope 2024 - Amsterdam
Modelling Up - DDDEurope 2024 - AmsterdamModelling Up - DDDEurope 2024 - Amsterdam
Modelling Up - DDDEurope 2024 - Amsterdam
 
Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)
 
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
 
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSISDECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
 
UI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design SystemUI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design System
 
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
 
14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision
 
一比一原版(USF毕业证)旧金山大学毕业证如何办理
一比一原版(USF毕业证)旧金山大学毕业证如何办理一比一原版(USF毕业证)旧金山大学毕业证如何办理
一比一原版(USF毕业证)旧金山大学毕业证如何办理
 

Introduction to security testing raj

  • 1. Introduction to Security Testing Prepared By Rajakrishnan Sadasivan, MCA MBA PMP CSM ITIL ISTQB(Advanced)
  • 2. What is Security Testing • Security testing is a process intended to reveal flaws in the security mechanisms of an information system that protect data and maintain functionality as intended. (Wikipedia). • Security Testing is the process of identifying the vulnerabilities and use that vulnerability to penetrate to the application to identify the impact of it.
  • 3. Elements of Security Testing Confidentiality disclosure of information to parties other than the intended recipient Integrity protecting information from being modified by unauthorized parties Authentication It involves confirming the identity of a person Availability Information must be kept available to authorized persons when they need it. Authorisation The process of determining that a requester is allowed to receive a service or perform an operation Ex: Access Control/Roles Non-reputation Non-repudiation is a way to guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message.
  • 4. Security Testing Process Analysis & Planning Vulnerability Scanning Vulnerability Assessment Penetration (Attack) Test Report *Source: Created by Raj
  • 5. Security Testing Process Process Description Analysis and Planning It is the phase where the security tester/Organisation gather information about the items under test such as application, Infrastructure, company security policy etc. A security test plan will be derived based on the analysis Vulnerability Scanning Vulnerability scanning will be done to identify the vulnerable points both application level and network level Vulnerability Assessment Vulnerability Assessment will be performed based on the vulnerability scanning result to summaries the possible vulnerable areas Penetration (Attack) Security tester tries to penetrate through the vulnerable points to identify the impact of it Test Report Penetration test report will be generated
  • 6. Types of Security Testing • Static Application Security Testing(SAST) • SAST includes application security testing to identify the vulnerabilities of the application and test the impact of such vulnerabilities by trying to penetrate through those vulnerabilities in code level • It is usually done by developers • It is done with Open source Or commercial tools • Dynamic Application Security Testing (DAST) • DAST includes application security testing to identify the vulnerabilities of the application and test the impact of such vulnerabilities by trying to penetrate through those vulnerabilities • It is usually done from inside the network • It is done with Open source Or commercial tools • Penetration Testing(PEN) • Penetration testing typically includes network penetration testing and application security testing as well as controls and processes around the networks and applications • It is more comprehensive than DAST • It is done both from inside and outside the network • It is mostly done with powerful commercial tools • Vulnerability Assessment vs PEN Testing • A vulnerability assessment simply identifies and reports noted vulnerabilities, whereas a penetration test attempts to exploit the vulnerabilities to determine whether unauthorized access or other malicious activity is possible.
  • 7. Best Practices • Security testing will be conducted in an isolated environment which is similar to production environment setup • Testing to be conducted from both internal and external networks • Database backups to be taken before PEN TEST starts
  • 8. OWASP • Open Web Application Security Project(OWASP) • The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software • It is an online community, produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security • OWASP Top Ten regularly published every year which list the top 10 vulnerabilities for the web application
  • 9. OWASP TOP 10- 2018 Top 10 Description Injection Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Broken Authentication Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently. Sensitive Data Exposure Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Insufficient Logging & Monitoring Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Broken Access Control Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users’ data, change access rights, etc.
  • 10. OWASP TOP 10- 2018 Top 10 Description Security Misconfiguration Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched and upgraded in a timely fashion. Cross-Site Scripting (XSS) XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. Insecure Deserialization Insecure deserialization often leads to remote code execution Using Components with Known Vulnerabilities Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts. Insufficient Logging & Monitoring Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data.
  • 11. Security Testing Tools • Open source Tools • DAST • OWASP ZAP • https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project • SAST • SonarQube • https://www.owasp.org/index.php/OWASP_SonarQube_Project • Reference • https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools
  • 12. References • www.Wikipedia.org • https://www.veracode.com • https://www.owasp.org/index.php/Main_Page • https://www.owasp.org/index.php/Category:Vulnerability_Scanning_ Tools • https://www.owasp.org/images/7/72/OWASP_Top_10- 2017_%28en%29.pdf.pdf