Software Security Testing

937 views

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
937
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Software Security Testing

  1. 1. Software Security TestingVinay Srinivasansrinivasan_vinay@yahoo.comvinay.srinivasan@techmahindra.comcell: +91 9823104620
  2. 2. By Vinay Srinivasan (Tech Lead) Working AtTesting Center of Excellence Laboratory, TechMahindra, Pune
  3. 3. Secure Software Confidentiality  Disclosure of information to only intended parties Integrity  Determine whether the information is correct or not Data Security  Privacy  Data Protection  Controlled Access Authentication  Access to Authorized People  Availability  Ready for Use when expected  Non Repudiation  Information Exchange with proof
  4. 4. Software Security Security of Operating System Security of Client Software Security of Application Software Security of System Software Security of Database Software Security of Software Data Security of Client Data Security of System Data Security of Server Software Security of Network Software
  5. 5. Why Security Testing For Finding Loopholes For Zeroing IN on Vulnerabilities For identifying Design Insecurities For identifying Implementation Insecurities For identifying Dependency Insecurities and Failures For Information Security For Process Security For Internet Technology Security For Communication Security For Improving the System For confirming Security Policies For Organization wide Software Security For Physical Security
  6. 6. Approach to Software Security Testing Study of Security Architecture Analysis of Security Requirements Classifying Security Testing Developing Objectives Threat Modeling Test Planning Execution Reports
  7. 7. Security Testing Techniques OS Hardening  Configure and Apply Patches  Updating the Operating System  Disable or Restrict unwanted Services and Ports  Lock Down the Ports  Manage the Log Files  Install Root Certificate  Protect from Internet Misuse and be Cyber Safe  Protect from Malware Vulnerability Scanning  Identify Known Vulnerabilities  Scan Intrusively for Unknown Vulnerabilities
  8. 8. Security Testing Techniques (continued…) Penetration Testing  Simulating Attack from a Malicious Source  Includes Network Scanning and Vulnerability Scanning  Simulates Attack from someone Unfamiliar with the System  Simulates Attack by having access to Source Code, Network, Passwords Port Scanning and Service Mapping  Identification and locating of Open Ports  Identification of Running Services Firewall Rule Testing  Identify Inappropriate or Conflicting Rules  Appropriate Placement of Vulnerable Systems behind Firewall  Discovering Administrative Backdoors or Tunnels SQL Injection  Exploits Database Layer Security Vulnerability  Unexpected Execution of User Inputs
  9. 9. Security Testing Techniques (continued…) Cross Side Scripting  Injecting Malicious Client Side Script into Web Pages  Persistent, Non-Persistent and DOM based Vulnerabilities Parameter Manipulation  Cookie Manipulation  Form Field Manipulation  URL Manipulation  HTTP Header Manipulation Denial of Service Testing  Flooding a target machine with enough traffic to make it incapable Command Injection  Inject and execute commands specified by the attacker  Execute System level commands through a Vulnerable Application
  10. 10. Security Testing Techniques (continued…) Network Scanning  Identifying Active Hosts on a network  Collecting IP addresses that can be accessed over the Internet  Collecting OS Details, System Architecture and Running Services  Collecting Network User and Group names  Collecting Routing Tables and SNMP data Password Cracking  Collecting Passwords from the Stored or Transmitted Data  Using Brute Force and Dictionary Attacks  Identifying Weak Passwords Ethical Hacking  Penetration Testing, Intrusion Testing and Red Teaming File Integrity Testing  Verifying File Integrity against corruption using Checksum
  11. 11. Security Testing Techniques (continued…) War Dialing  Using a Modem to dial a list of Telephone Numbers  Searching for Computers, Bulletin Board System and Fax Machines Wireless LAN Testing  Searching for existing WLAN and logging Wireless Access Points Buffer Overflow Testing  Overwriting of Memory fragments of the Process, Buffers of Char type Format String Testing  Supplying Format type specifiers in the Application input Random Data Testing  Random Data Inputs by a Program  Encoded Random Data included as Parameters  Crashing built-in code Assertions
  12. 12. Security Testing Techniques (continued…) Random Mutation Testing  Bit Flipping of known Legitimate Data  Byte stream Sliding within known Legitimate Data Session Hijacking  Exploitation of Valid Computer Session  Exploitation of the Web Session control mechanism  Gain unauthorized access to the Web Server Phishing  Masquerading as a trustworthy entity in an electronic communication  Acquiring usernames, passwords and credit card details URL Manipulation  Make a web server Deliver inaccessible web pages  URL Rewriting
  13. 13. Security Testing Techniques (continued…) IP Spoofing  Creating Internet Protocol (IP) packets with a forged source IP address Packet Sniffing  Capture and Analyze all of the Network traffic Virtual Private Network Testing  Penetration Testing Social Engineering  Psychological Manipulation of People  Divulging confidential information
  14. 14. Conclusion Analyze potential Threat and its Impact Complete Security Testing may not be Feasible Collect Information to Secure Business Environment Should be done as early as possible in the Dev.. Cycle Should be able to identify the Security Requirements Have Specific understanding of the Various Processes Should provide Recommendations to overcome Weakness
  15. 15. Thank You
  16. 16. Contact Details  Email :  vinay.srinivasan@techmahindra.com  srinivasan_vinay@yahoo.com  Phone :  +91-20-42250000 Extn : 25392 5 / 253926  +91-20-66550000 Extn : 25392 5 / 253926  +91-9823104620  Fax :  +91-20-42252501  +91-20-66552501

×