The document discusses security testing and auditing. It defines security testing as a process to discover weaknesses in software applications. The objective is to find vulnerabilities to ensure the application's security. A security audit systematically evaluates an organization's information security by measuring how well it conforms to industry standards. This helps identify security risks and issues to develop mitigation strategies. Security audits and testing are important tools for maintaining an effective information security program.

2.  5.1 The Basis of Security Testing
 5.2 Security Risks
 5.3 Information Security Policies and
Procedures
 5.4 Security Auditing and Its Role in Security
Testing

3.  Security testing is the process of to discover the weaknesses,
risks, or threats in the software application.
 It also us to stop the nasty attack from the outsiders and
make sure the security of our software applications.
 objective of security testing is to find all the potential
ambiguities and vulnerabilities of the application so that the
software does not stop working.
 it helps us to identify all the possible security threats and also
help the programmer to fix those errors.

5.  Availability
 In this, the data must be retained by an official
person, and they also guarantee that the data
and statement services will be ready to use
whenever we need it.
 Integrity
 In this, we will secure those data which have
been changed by the unofficial person. The
primary objective of integrity is to permit the
receiver to control the data that is given by the
system.

6.  Authorization
 It is the process of defining that a client is permitted to
perform an action and also receive the services. The
example of authorization is Access control.
 Confidentiality
 It is a security process that protracts the leak of the
data from the outsider's because it is the only way
where we can make sure the security of our data.
 Authentication
 The authentication process comprises confirming the
individuality of a person, tracing the source of a
product that is necessary to allow access to the
private information or the system.

7.  Non- repudiation
 It is used as a reference to the digital security,
and it a way of assurance that the sender of a
message cannot disagree with having sent the
message and that the recipient cannot
repudiate having received the message.
 The non-repudiation is used to ensure that a
conveyed message has been sent and
received by the person who claims to have
sent and received the message.

10.  We have various security testing tools
available in the market, which are as
follows:
 SonarQube
 ZAP
 Netsparker
 Arachni
 IronWASP

11.  A security risk assessment identifies,
assesses, and implements key security
controls in applications.
 It focuses on preventing application security
defects and vulnerabilities.
 Carrying out a risk assessment allows an
organization to view the application portfolio
holistically—from an attacker’s perspective.
 It supports managers in making informed
resource allocation, tooling, and security
control implementation decisions.
 Thus, conducting an assessment is an
integral part of an organization’s risk

12.  Identification. Determine all critical assets of
the technology infrastructure. Next, diagnose
sensitive data that is created, stored, or
transmitted by these assets. Create a risk
profile for each.
 Assessment. Administer an approach to
assess the identified security risks for critical
assets. After careful evaluation and
assessment, determine how to effectively
and efficiently allocate time and resources
towards risk mitigation. The assessment
approach or methodology must analyze the
correlation between assets, threats,

13.  Mitigation. Define a mitigation approach
and enforce security controls for each risk.
 Prevention. Implement tools and
processes to minimize threats and
vulnerabilities from occurring in your firm’s
resources.

14.  Identify assets (e.g., network, servers,
applications, data centers, tools, etc.) within
the organization.
 Create risk profiles for each asset.
 Understand what data is stored, transmitted,
and generated by these assets.
 Assess asset criticality regarding business
operations. This includes the overall impact
to revenue, reputation, and the likelihood of a
firm’s exploitation.
 Measure the risk ranking for assets and
prioritize them for assessment.
 Apply mitigating controls for each asset

15.  An information security policy (ISP) is a
set of rules, policies and procedures
designed to ensure all end users and
networks within an organization meet
minimum IT security and data protection
security requirements.
 ISPs should address all data, programs,
systems, facilities, infrastructure,
authorized users, third parties and fourth
parties of an organization.

16.  Establish a general approach to information security
 Document security measures and user access
control policies
 Detect and minimize the impact of compromised
information assets such as misuse of data, networks,
mobile devices, computers and applications
 Protect the reputation of the organization
 Comply with legal and regulatory requirements like
NIST, GDPR, HIPAA and FERPA
 Protect their customer's data, such as credit card
numbers
 Provide effective mechanisms to respond to
complaints and queries related to real or perceived
cyber security risks such
as phishing, malware and ransomware
 Limit access to key information technology assets to

17.  Confidentiality: data and information are
protected from unauthorized access
 Integrity: Data is intact, complete and
accurate
 Availability: IT systems are available
when needed

18.  A security audit is a systematic evaluation
of the security of a company's information
system by measuring how well it conforms
to an established set of criteria.
 This assessment measures your
information system’s security against
an audit checklist of industry best
practices, externally established
standards, and/or federal regulations

19.  Physical components of your information system
and the environment in which the information
system is housed.
 Applications and software, including security
patches your systems administrators, have
already implemented.
 Network vulnerabilities, including public and
private access and firewall configurations.
 The human dimension, including how employees
collect, share, and store highly sensitive
information.
 The organization’s overall security strategy,
including security policies, organization charts,

20.  A security audit compares your
organization’s actual IT practices with the
standards relevant to your enterprise and
will identify areas for remediation and
growth.
 Specifically, auditors will review security
controls for adequacy, validate compliance
with security policies, identify breaches,
and ultimately make recommendations to
address their findings.

21.  The audit will result in a report with
observations, recommended changes,
and other details about your security
program.
 The audit report may describe specific
security vulnerabilities or reveal previously
undiscovered security breaches.
 These findings can then be used to inform
your cybersecurity risk management
approach.

22.  A security audit will provide a roadmap of
your organization’s main information
security weaknesses and identify where it
is meeting the criteria the organization has
set out to follow and where it isn’t.
 Security audits are crucial to
developing risk assessment plans and
mitigation strategies for organizations
dealing with sensitive and confidential
data.

23.  Successful security audits should give
your team a snapshot of your
organization’s security posture at that
point in time and provide enough detail to
give your team a place to start with
remediation or improvement activities.
 Some security-centric audits may also
serve as formal compliance audits,
completed by a third-party audit team for
the purpose of certifying against ISO

24.  Security audits also provide your
organization with a different view of IT
security practices and strategy, whether
they are conducted by an internal audit
function or through an external audit.
 Having your organization’s security
policies scrutinized can provide valuable
insights into how to implement better
controls or streamline existing processes.

25.  Security audits are an important tool and
method for operating an up-to-date and
effective information security program.
 cybersecurity amplifies an organization’s
capability to respond to security threats.

26.  https://www.synopsys.com/glossary/what-
is-security-risk-assessment.html
 https://www.auditboard.com/blog/what-is-
security-audit/