Scribd
Upload
181 views

CISSP - Domain 6 - Security Assesment and Testing

1) Security assessment and testing involves designing and validating assessment strategies, conducting security control testing, analyzing test outputs, and facilitating audits. 2) Proper test and evaluation strategies help identify risks and are living documents maintained by integrated product teams. 3) Log reviews are an important detective control, but pose challenges related to volume, format, sources, and preservation.

Uploaded by

Jerry Shen
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
181 views

CISSP - Domain 6 - Security Assesment and Testing

1) Security assessment and testing involves designing and validating assessment strategies, conducting security control testing, analyzing test outputs, and facilitating audits. 2) Proper test and evaluation strategies help identify risks and are living documents maintained by integrated product teams. 3) Log reviews are an important detective control, but pose challenges related to volume, format, sources, and preservation.

Uploaded by

Jerry Shen
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 26

Unit 6

Security Assessment and Testing


Subramaniam Sankaran
[email protected]

Domain 6 - Security Assessment and


Testing
Note
• This presentation has been prepared by
Subramaniam Sankaran, for his CISSP program
delivery.
• Please do share this material as required.
• You can reach him on
[email protected]

Domain 6 - Security Assessment and


Testing
Objective
• Design and validate assessment and test
strategies
• Conduct Security control testing
• Collect Security Process data
• Analyse and report test output.
• Conduct and facilitate internal and third party
audits.

Domain 6 - Security Assessment and


Testing
T&E
Testing and Evaluation
• Fundamental principle of test and evaluation
is to provide knowledge to assist in managing
risks involved in developing, producing,
operating, and sustaining systems and
capabilities.
• T&E expertise must be applied at the
beginning to avoid overlook and others
vulnerabilities.

Domain 6 - Security Assessment and


Testing
Responsibility
• Recommend T&E
• Monitor T&E
• Perform T&E

Domain 6 - Security Assessment and


Testing
Team
• Test and Evaluation Integrated product team
– SME
– Customer user representative
– Other Stakeholders
• Test and Evaluation Strategy is a living
document

Domain 6 - Security Assessment and


Testing
Test and Assessment Strategies
• Proper test and evaluation strategy can help in
identifying risks to validate the models
• Test and evaluation strategy is the living
document and is maintained by the group.

Domain 6 - Security Assessment and


Testing
Software Verification
• Verifies that the design verification of particular
phase meets all the requirements for that phase.
• Software testing ensures that the software
development output meets the input
requirements.
• Software validation is to ensure that the
complete products in line with system and
software requirements. This should be ensured
during design validation as well.
Domain 6 - Security Assessment and
Testing
Software Validation Challenges
• Easily alterable
• Branching statements introduce complexity.
• Minor software change might introduce major
problem.

Domain 6 - Security Assessment and


Testing
Log Reviews
• Important detective control
• Log management required to generate,
transmit, store, analyze and dispose the logs.

Domain 6 - Security Assessment and


Testing
Challenges
• Quantity
• Format
• Inconsistent contents
• Time stamps
• High number of sources
• CIA

Domain 6 - Security Assessment and


Testing
Operations
• Preservation of original logs
• Logs must be maintained on central and
original servers to maintain fidelity.
• Prioritise the logs based on organizations
perceived risk.

Domain 6 - Security Assessment and


Testing
Log Management Infrastructure
• Consist of hardware, software, media and
networks.
• Plan for current and future needs.
• Volume of data, network bandwidth, online
and offline storage, security, time and staffing
requirement.
• Ensure staff readiness.

Domain 6 - Security Assessment and


Testing
Standard log management operations
• Monitoring the logging status of all log sources
• Monitoring log rotation and archival processes
• Checking for upgrades and patches to logging software, and
acquiring, testing, and deploying them
• Ensuring that each logging host’s clock is synched to a common time
source
• Reconfiguring logging as needed based on policy changes,
technology changes, and other factors
• Documenting and reporting anomalies in log settings,
configurations, and processes.
• Ensuring logs are consolidated to repositories such as Security
Information and Event Management (SIEM) systems
Domain 6 - Security Assessment and
Testing
Sources
• Anti Malware
• IDPS
• Remote access software
• Web proxies
• Vulnerability management software
• Authentication Servers
• Routers
• Firewalls
• Network Access Control
Domain 6 - Security Assessment and
Testing
Other Sources
• System events
• Audit Events

Domain 6 - Security Assessment and


Testing
Synthetic Transactions
• Real User Monitoring (RUM) aims at
monitoring Server and Client side
transactions.
• Synthetic transaction is proactive monitoring.
Uses scripts to be executed as a part of the
transaction.

Domain 6 - Security Assessment and


Testing
Testing methodologies
• Code Review and Testing
• Black Box vs White Box
• Dynamic vs static testing
• Manual vs automated testing

Domain 6 - Security Assessment and


Testing
Considerations
• Attack Surface
• Application Type
• Quality of Results and usability
• Supported Technologies
• Performance and Resource utilization

Domain 6 - Security Assessment and


Testing
Review phases
• Planning and Design
– Threat Modelling
– Architecture Security Reviews
• During Application Development
– Code Reviews
• Executable in Test environment
– Manual or Automated PT
– Automated Vulnerability Scanners
– Fuzz Testing tools
Domain 6 - Security Assessment and
Testing
Test case coverage
• Statement coverage
• Decision coverage
• Condition coverage
• Multi condition coverage
• Loop Coverage
• Path coverage
• Data flow coverage

Domain 6 - Security Assessment and


Testing
Other maintenance tasks
• Software Validation plan revision
• Anomaly evaluation
• Problem identification and resource tracking
• Proposed Change Assessment
• Task Iteration
• Documentation Updating

Domain 6 - Security Assessment and


Testing
Negative Testing
• Populating Required Fields
• Correspondence between data and field types
• Allowed Number of Characters
• Allowed data bound and limits
• Reasonable data – (Age cannot be negative)
• Web Session testing – (login before page
opens)

Domain 6 - Security Assessment and


Testing
Interface testing
• Verify that communication is done correctly,
Web server-application server to application
server-database server, and vice versa.
• Compatibility of server software, hardware,
network connections

Domain 6 - Security Assessment and


Testing
Information Security Control Monitoring
ISCM
• Security Control Volatility
• System categorization and impact level
• Security Controls or Specific Assessment Objects Providing
Critical Functions
• Security controls and identifies weakness
• Organization Risk Tolerance
• Threat Information
• Vulnerability Information
• Risk Assessment Results
• Reporting Requirements
Domain 6 - Security Assessment and
Testing
End of it

Domain 6 - Security Assessment and


Testing

You might also like