VIEW POINT

BEST PRACTICES TO ENSURE SEAMLESS

CYBER SECURITY TESTING

Abstract
In a post COVID-19 world, the need to become digitally-enabled is more
pressing than ever before. Enterprises are accelerating digital strategies and
omni-channel transformation projects. But while they expand their digital
footprint to serve customers and gain competitive advantage, the number
and extent of exposure to external threats also increases exponentially.
This is due to the many moving parts in the technology stack such as cloud,
big data, legacy modernization, and microservices. This paper looks at the
security vulnerabilities in open systems interconnection (OSI) layers and
explains the best practices for embedding cyber security testing seamlessly
into organizations.
 Introduction
Open systems interconnection (OSI) comprises many layers, each of which has its own services/protocols. These can be used by hackers and
attackers to compromise the system through different types of attacks.

OSI Layers Services/Protocols Types of attacks

Application Layer File transfer protocol, simple mail SQL injecon, Cross-site scripng so ware a
ack
transfer protocol, Domain Name System (persistent and non-persistent), Cross-site request
forgery, Cookie poisoning

Presentation Layer Data representation, Encryption and

Decryption SSL a
acks, HTTP tunnel a
acks

Establishing session communications Session hijacking, sequence predicon a

ack,
Session Layer
Authencaon a
ack

TCP, UDP, SSL, TLS - protocols Port scanning, ping flood and Distributed Denial-of-
Transport Layer
Service (DDoS) a
ack

Networks, IP address, ICMP protocol, External a

acks such as packet sniffing, Internet
Network Layer
IPsec protocol, OSPF protocol Control Message Protocol (ICMP) flood a
ack,
Denial of Service (DoS) a
ack at Dynamic Host
Data link Layer Ethernet, 802.11 protocol, LANs, Fiber
Configuraon Layer (DHCP), MAC address spoofing
optic, Frame protocol
etc.- These are primarily internal a
acks
Transmission media, bit stream (signal) Data the , Hardware the , Physical destrucon,
Physical Layer
and binary transmission Unauthorized access to hardware/connecons etc.,

Fig 1: Points of vulnerability across OSI layers

For some OSI layers like Transport, Session, 4. Understanding the vulnerabilities in from SVN or GIT (version control
Presentation, and Application, some infrastructure security testing systems)
amount of exposure can be controlled
5. Understanding roles and responsibilities • Code is automatically pushed for
using robust application-level security
for cloud security testing scanning after applying UI and server-
practices and cyber security testing. From
based pre-scan filters. Code is scanned
a quality engineering perspective, it is for vulnerability
important for testers to be involved in the Best practice 1: Defining and
• Results are pushed to the software
digital security landscape. executing a digital tester’s
security center database for
While there is no single approach to handle role in the DevSecOps model verification
cyber security testing, the following five DevSecOps means dealing with security
best practices can ensure application • If there are no vulnerabilities, the
aspects as code (security as a code). It
code is pushed to quality assurance
security by embedding cyber security enables two aspects, namely, ‘secure code’
(QA) and production stages. If
testing seamlessly into organizations: delivered ‘at speed’. Here is how security-as-
vulnerabilities are found, these are
1. Defining and executing a digital tester’s a-code works:
backlogged for resolution
role in the DevSecOps model • Code is delivered in small chunks.
DevSecOps can be integrated to
2. Understanding and implementing Possible changes are submitted in perform security tests on networks,
data security testing practices in non- advance to identify vulnerabilities digital applications and identity access
production environments • The application security team management portals. The tests focus on
3. Security in motion – Focusing on triggers scheduled scans in the build how to break into the system and expose

dynamic application security testing environment. Code checkout happens vulnerable areas.

External Document © 2021 Infosys Limited

Best practice 2: • Conduct threat modeling by • Define a security validation strategy
decomposing applications, identifying based on the type of cloud service
Understanding and
threats and categorizing/rating threats models:
implementing data security
testing practices in non- • Perform a combination of automated • For Software-as-a-Service (SaaS),
testing and black-box security/ the focus should be on risk-based
production environments
penetration testing to identify security testing and security audits/
With the advent of DevOps and digital vulnerabilities compliance
transformation, there is a tremendous
• For Platform-as-a-Service (PaaS),
pressure to provision data quickly to
meet development and QA needs. While Best practice 4: the focus should be on database
Understanding the security and web/mobile/API
provisioning data across the developing
penetration testing
pipelines is one challenge, another is to vulnerabilities in
ensure security and privacy of data in the infrastructure security testing • For Infrastructure-as-a-Service
non-production environment. There are (IaaS), the focus should be on
There are infrastructure-level
several techniques to do this as discussed infrastructure and network
vulnerabilities that cannot be identified
below: vulnerability assessment
with UI testing. Hence, infrastructure-level
• Dynamic data masking, i.e., masking exploits are created and executed, and • Conduct Cloud Service Provider
data on the fly and tying database reports are published. The following steps (CSP) service integration and cyber
security directly to the data using tools give insights to the operations team to security testing. The focus is on
that have database permissions minimize/eliminate vulnerabilities at the identifying system vulnerabilities, CSP
infrastructure layer: account hijacking, malicious insiders,
• Deterministic masking, i.e., using
identity/access management portal
algorithm-based data masking of • Reconnaissance and network
vulnerabilities, insecure APIs, shared
sensitive fields to ensure referential vulnerability assessment including
technology vulnerabilities, advanced
integrity across systems and databases host fingerprinting, port scanning and
persistent threats, and data breaches
• Synthetically generating test data network mapping tools
• Review the CSP’s audit and perform
without relying on the production • Identification of services and OS details
compliance checks
footprint by ensuring referential on hosts such as Domain Name System
integrity across systems and creating a (DNS) and Dynamic Host Configuration These best practices can help enterprises
self-service database Protocol (DHCP) build and create secure applications right
from the design stage.
• Automatic clean-up of the sample data, • Manual scans using scripting engine and
sample accounts and sample customers tool-based automated scans Infosys has a dedicated Cyber Security
created Testing Practice that provides trusted
• Configuration reviews for firewalls,
application development and
routers, etc.
maintenance frameworks, security
Best practice 3: Security in • Removal of false positives and validation testing automation, security testing
motion – Focus on dynamic of reported vulnerabilities planning, and consulting for emerging
application security testing areas. It aims to integrate security
This test is performed while the application into the code development lifecycle
Best practice 5: through test automation with immediate
is in use. Its objective is to mimic hackers
Understanding roles and feedback to development and operations
and break into the system. The focus is to:
responsibilities for cloud teams on security vulnerabilities. Our
• Identify abuse scenarios by mapping
security testing approach leverages several open-source
security policies to application
and commercial tools for security testing
flows based on the top 10 security With cloud transformation, cloud security
instrumentation and automation.
vulnerabilities for Open Web Application is a shared responsibility. Cloud security
Security Project (OWASP) testing must involve the following steps:

External Document © 2021 Infosys Limited

Conclusion
The goal of cyber security testing is to
anticipate and withstand attacks and
recover quickly from security events. In
the current pandemic scenario, it should
also help companies adapt to short-term
change. Infosys recommends the use
of best practices for integrating cyber
security testing seamlessly. These include
building secure applications, ensuring
proper privacy controls of data in rest
and in motion, conducting automated
penetration testing, and having clear
security responsibilities identified with
cloud service providers.

About the Authors

Arun Kumar Mishra Sundaresasubramanian Gomathi Vallabhan
Senior Practice Engagement Manager, Infosys Practice Engagement Manager, Infosys

References
1. https://www.marketsandmarkets.com/Market-Reports/security-testing-market-150407261.html

2. https://www.infosys.com/services/validation-solutions/service-offerings/security-testing-validation-services.html

For more information, contact [email protected]

© 2021 Infosys Limited, Bengaluru, India. All Rights Reserved. Infosys believes the information in this document is accurate as of its publication date; such information is subject to change without notice. Infosys
acknowledges the proprietary rights of other companies to the trademarks, product names and such other intellectual property rights mentioned in this document. Except as expressly permitted, neither this
documentation nor any part of it may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, printing, photocopying, recording or otherwise, without the
prior permission of Infosys Limited and/ or any named intellectual property rights holders under this document.

Infosys.com | NYSE: INFY Stay Connected