Security testing: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 09:37, 20 July 2022 edit Jrob kiwi (talk \| contribs) 110 edits →Tools: removed CSA, in this context it is more often used to designate "Cloud Security Alliance", not "Container Security Analysis" ← Previous edit		Latest revision as of 14:11, 21 November 2024 edit undo AnnaBSP (talk \| contribs) 263 edits No edit summary Tag: Visual edit
(16 intermediate revisions by 11 users not shown)
Line 1: {{Short description\|The process of finding flaws in the security of information systems}} {{~~Refimprove~~More citations needed\|date=August 2019}} {{Information security}}▼ '''Security testing''' is a process intended to ~~reveal~~detect flaws in the [[security]] mechanisms of an [[information system]] ~~that~~and as such help enable it to protect data and maintain functionality as intended.<ref>M Martellini, & Malizia, A. (2017). Cyber and chemical, biological, radiological, nuclear, explosives challenges : threats and counter efforts. Springer.</ref> Due to the logical limitations of security testing, passing the security testing process is not an indication that no flaws exist or that the system adequately satisfies the security requirements. Typical security requirements may include specific elements of [[confidentiality]], [[integrity]], [[authentication]], availability, authorization and [[non-repudiation]].<ref>"Introduction to Information Security" US-CERT https://www.us-cert.gov/security-publications/introduction-information-security</ref> Actual security requirements tested depend on the security requirements implemented by the system. Security testing as a term has a number of different meanings and can be completed in a number of different ways. As such, a Security Taxonomy helps us to understand these different approaches and meanings by providing a base level to work from. Line 10 ⟶ 9: * A security measure which protects against the disclosure of information to parties other than the intended recipient is by no means the only way of ensuring the security. == Integrity == Line 18 ⟶ 16: * Integrity schemes often use some of the same underlying technologies as confidentiality schemes, but they usually involve adding information to a communication, to form the basis of an algorithmic check, rather than the encoding all of the communication. * To check if the correct information is transferred from one application to other. == Authentication == Line 46 ⟶ 43: * '''Vulnerability Assessment''' - This uses discovery and vulnerability scanning to identify security vulnerabilities and places the findings into the context of the environment under test. An example would be removing common false positives from the report and deciding risk levels that should be applied to each report finding to improve business understanding and context. * '''Security Assessment''' - Builds upon Vulnerability Assessment by adding manual verification to confirm exposure, but does not include the exploitation of vulnerabilities to gain further access. Verification could be in the form of authorized access to a system to confirm system settings and involve examining logs, system responses, error messages, codes, etc. A Security Assessment is looking to gain a broad coverage of the systems under test but not the depth of exposure that a specific vulnerability could lead to. * '''Penetration Test''' - [[Penetration test]] simulates an attack by a malicious party. Building on the previous stages and involves exploitation of found vulnerabilities to gain further access. Using this approach will result in an understanding of the ability of an attacker to gain access to confidential information, affect data integrity or availability of a service and the respective impact. Each test is approached using a consistent and complete methodology in a way that allows the tester to use their problem solving abilities, the output from a range of tools and their own knowledge of networking and systems to find vulnerabilities that would/ or could not be identified by automated tools. This approach looks at the depth of attack as compared to the Security Assessment approach that looks at the broader coverage. * '''Security Audit''' - Driven by an Audit /and Risk function to look at a specific control or compliance issue. Characterized by a narrow scope, this type of engagement could make use of any of the earlier approaches discussed ([[Vulnerability assessment (computing)\|vulnerability assessment]], security assessment, penetration test). * '''Security Review''' - Verification that industry or internal security standards have been applied to system components or product. This is typically completed through gap analysis and utilizes build /and code reviews or by reviewing design documents and architecture diagrams. This activity does not utilize any of the earlier approaches (Vulnerability Assessment, Security Assessment, Penetration Test, Security Audit) == Tools == * [[Container (virtualization)\|Container]] and [[IT infrastructure\|Infrastructure]] Security Analysis<ref>{{cite web \| url=https://github.com/OWASP/Container-Security-Verification-Standard \| title=Container Security Verification Standard \| website=[[GitHub]] \| date=20 July 2022 }}</ref><ref>{{cite web \| url=https://cheatsheetseries.owasp.org/cheatsheets/Infrastructure_as_Code_Security_Cheat_Sheet.html \| title=Infrastructure as Code Security - OWASP Cheat Sheet Series }}</ref> * [[Static application security testing\|SAST - Static Application Security Testing]] * [[Dynamic application security testing\|DAST - Dynamic Application Security Testing]] * [[Interactive application security testing\|IAST - Interactive Application Security Testing]]<ref>{{cite web \| url=https://owasp.org/www-project-devsecops-guideline/latest/02c-Interactive-Application-Security-Testing \| title=OWASP DevSecOps Guideline - v-0.2 \| OWASP Foundation }}</ref> * [[Data loss prevention software\|DLP - Data Loss Prevention]] * [[Intrusion detection system\|IDS, IPS - Intrusion Detection System, Intrusion Prevention System]] * OSS Scanning - Open Source Software Scanning (see [[Open-source software security]]) * [[Runtime application self-protection\|RASP - Runtime Application Self-Protection]] * SCA - [[Software Composition Analysis]]<ref>{{cite web \| url=https://owasp.org/www-community/Component_Analysis \| title=Component Analysis \| OWASP Foundation }}</ref> * [[Web application firewall\|WAF - Web Application Firewall]] Line 70 ⟶ 67: {{Reflist}} ▲{{Information security}} {{Software testing}} ~~[[Category:Computer security]]~~ [[Category:Security testing]] [[Category:Cybersecurity engineering]]