Revision as of 13:22, 31 January 2020 edit 125.63.105.165 (talk) →Non-repudiation ← Previous edit		Revision as of 15:58, 31 January 2020 edit undo Walter Görlitz (talk \| contribs) Extended confirmed users, Pending changes reviewers 294,571 edits General formatting by script Next edit →
Line 1: {{Refimprove\|date=August 2019}} {{Information security}} '''Security testing''' is a process intended to reveal flaws in the security mechanisms of an [[information system]] that protect data and maintain functionality as intended. Due to the logical limitations of security testing, passing security testing is not an indication that no flaws exist or that the system adequately satisfies the security requirements. Typical security requirements may include specific elements of confidentiality, integrity, authentication, availability, authorization and non-repudiation.<ref>"Introduction to Information Security" US-CERT https://www.us-cert.gov/security-publications/introduction-information-security</ref> Actual security requirements tested depend on the security requirements implemented by the system. Security testing as a term has a number of different meanings and can be completed in a number of different ways. As such a Security Taxonomy helps us to understand these different approaches and meanings by providing a base level to work from. == Confidentiality == * A security measure which protects against the disclosure of information to parties other than the intended recipient is by no means the only way of ensuring the security. == Integrity == Integrity of information refers to protecting information from being modified by unauthorized parties Line 17 ⟶ 19: * To check if the correct information is transferred from one application to other. == Authentication == This might involve confirming the identity of a person, tracing the origins of an artifact, ensuring that a product is what its packaging and labeling claims to be, or assuring that a computer program is a trusted one. == Authorization == * The process of determining that a requester is allowed to receive a service or perform an operation. * [[Access control]] is an example of authorization. == Availability == * Assuring information and communications services will be ready for use when expected. * Information must be kept available to authorized persons when they need it. == Non-repudiation == * In reference to digital security, non-repudiation means to ensure that a transferred message has been sent and received by the parties claiming to have sent and received the message. Non-repudiation is a way to guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message. == Taxonomy == ~~==Security Testing Taxonomy==~~ Common terms used for the delivery of security testing: Line 42 ⟶ 49: * '''Security Review''' - Verification that industry or internal security standards have been applied to system components or product. This is typically completed through gap analysis and utilizes build / code reviews or by reviewing design documents and architecture diagrams. This activity does not utilize any of the earlier approaches (Vulnerability Assessment, Security Assessment, Penetration Test, Security Audit) ==~~Security~~ ~~Tool~~Tools ~~Types~~== * CSA - Container and Infrastructure Security Analysis * [[Dynamic application security testing\|DAST]] - [[Dynamic Application Security Testing]] Line 54 ⟶ 62: * WAF - Web Application Firewall == See also ==▼ ▲==See also== * [[National Information Assurance Glossary]] == References == <references />

Security testing: Difference between revisions