Penetration Testing in Secure Software Development: Techniques and Best Practices, Slides of Software Engineering

Download Penetration Testing in Secure Software Development: Techniques and Best Practices and more Slides Software Engineering in PDF only on Docsity!

Secure Software Development

Penetration Testing

Application of Touchpoints

Requirement and Use cases

Architecture and Design Test Plans^ Code^

Tests and Test Results

Feedback from the Field

5. Abuse cases 6. Security Requirements 2. Risk Analysis

External Review

4. Risk-Based Security Tests 1. Code Review (Tools) 2. Risk Analysis 3. Penetration Testing 7. Security Operations

Security Testing

• Look for unexpected but intentional misuse of the

system

• Must test for all potential misuse types using
  • Architectural risk analysis results
  • Abuse cases
• Verify that
  • All intended security features work (white hat)
  • Intentional attacks cannot compromise the system (black hat)

Penetration Testing

• Testing for negative – what must not exist in the system
• Difficult – how to prove “non-existence”
• If penetration testing does not find errors than
  • Can conclude that under the given circumstances no security faults occurred
  • Little assurance that application is immune to attacks
• Feel-good exercise

Late-Lifecycle Testing

• Limitations:
  • Design and coding errors are too late to discover
  • Higher cost than earlier designs-level detection
  • Options to remedy discovered flaws are constrained by both time and budget
• Advantages: evaluate the system in its final

operating environment

Success of Penetration Testing

• Depends on skill, knowledge, and experience of

the tester

• Important! Result interpretation
• Disadvantages of penetration testing:
  • Often used as an excuse to declare victory and go home
  • Everyone looks good after negative testing results

Testing Process

• External Testing: across the internet.
  • Simulate attacker’s environment
  • Gathering information related to remote access, IP addresses, open ports, allowed services, etc.
  • Tools to support
• Internal Testing: onsite. View of the system behind the external perimeters - Software penetration testing tools - Attempt to exploit vulnerabilities

Testing Activities

• Scoping: assessing target system
• Discovery: building information about the system
  • Offline and online activities
• Vulnerability scanning: testing system components
• Target penetration: within testing parameters
• Analysis: of results of previous stages
• Reporting: detailed findings and recommendations

Testing and Application Context

• Organizations: How to update legacy systems

with security capabilities

• Application specific risk.

Is Penetration Testing Worth it?

• Schneier, http://schneier.com/blog/archives/2007/05/is_penetr ation.html
• Opinions:
  • Penetration testing is essential for network security
  • Penetration testing is a waste of time and money
• What is the goal of penetration testing?
• Finding too much vulnerabilities – how to fix them all?
• Useful penetration testing:
  • Find vulnerabilities you’re going to fix
  • Pursue managers to invest in security