Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Introduction to Security Testing

Presentation to introduce why security is important quoting few examples

  • Login to see the comments

Introduction to Security Testing

  1. 1. v o d Q A , H y d e r a b a d SECURITY: TOWARDSASAFER WEB WORLD
  2. 2. AGENDA •Why Security? •Security Testing •Key Security Concepts •Simple Security Checks 2
  3. 3. SOME SECURITY BREACHES 3
  4. 4. HEARD ABOUT THEM?? 4 They have 13 million Customers!!
  5. 5. KNOW THIS PERSON?? 5 Senior Staff writer in wired Mat Honan
  6. 6. AN EPIC HACK 6 Agenda mathonan@me.com @mat How about CC number? Billing m******n@me.co Apple Wait!! I’ll give you Got the CC Number :) Insert new Credit card Lost access! Add new e- mail Reset Password
  7. 7. SECURITY 7
  8. 8. SECURITY TESTING •Process intended to reveal flaws in the security mechanisms of an information system •Finding out the potential loopholes & weakness of the system •To check whether there is an information leakage •Passing Security Testing is not an indication that no flaws exist 8
  9. 9. BASIC PRINCIPLES 9
  10. 10. AUTHENTICATION - WHO AM I?? 1 0 Something you know!! Something you have!!
  11. 11. AUTHORIZATION - WHAT CAN I DO? 1 1
  12. 12. AVAILABILITY - CAN I ACCESS IT?? 1 2
  13. 13. CONFIDENTIALITY - IS MY SECRET SAFE?? 1 3
  14. 14. INTEGRITY - IS MY DATA TAMPERED?? 1 4
  15. 15. SIMPLE CHECKS 1 5
  16. 16. •Password should be in encrypted / hashed •Credentials(say login) delivered only over HTTPS •System/Application should not allow invalid users •Browser Back button should not allowed for a Banking website •Cookies / Session token should timeout after a certain time •Forms should be validated at Server side also. Test the APIs •Directory structure should not be browsable •Check if Exceptions are handled correctly. Stack trace errors shouldn’t be displayed •Use plugins to keep checking for vulnerabilities from time to time (Eg: Tamper Data, Site Spider, etc) 1 6
  17. 17. PENETRATION TESTING 1 7 •Vulnerability Scanning •Ethical Hacking •Password Cracking •DDOS Attacks •URL Manipulation
  18. 18. KEY TAKEAWAYS 1 8 •Make things safe by default •Make security test plan in accordance to the business requirements & Security goals •Have the ability to deploy/respond quickly
  19. 19. REFERENCES 1 9 •http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/ •http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA •https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet •https://en.wikipedia.org/wiki/Security_testing
  20. 20. F o r q u e s t i o n s o r s u g g e s t i o n s : W r i t e t o u s @ h a r i k r i s @ t h o u g h t w o r k s . c o m s h i l p a b @ t h o u g h t w o r k s . c o m THANK YOU

×