Certified Information Systems Security Professional

(CISSP) Certification Training Course

CISSP® is a registered trademark of (ISC)²®

Domain 06: Security Assessment and Testing
 Learning Objectives

By the end of this lesson, you will be able to:

Demonstrate assessment, test, and audit strategies

Discuss penetration testing process and log management phases

Examine different testing techniques and methods

Discuss key performance Indicators and KPI process

Compare different ethical disclosures

Introduction to Security Assessment and Testing
 Security Assessment and Testing

• Security assessment is performed to identify

the current security status of an information
system or an organization.

• The goal of security assessment and testing is Vulnerability

assessment
the early identification of technical, operational,
and system deficiencies.

Types of security Penetration

• The assessment provides recommendations for assessment testing
improvement which allows the organization to
reach a security goal that mitigates risk and
enables the organization.
Security audits

• This is to ensure that appropriate and timely

corrective actions can be applied before using
the system in the production environment.
Design and Validate Assessment, Test, and Audit Strategies
 Audits and Types of Audits

Audit

• An audit is a systematic, repeatable process, where a

competent, independent professional evaluates one
or more controls, interviews personnel, obtains and
analyzes evidence, and develops a written opinion on
the effectiveness of the control(s).

• The purpose of a risk audit is to provide reasonable

assurance that adequate risk controls exist and are
operationally effective.
 Audits and Types of Audits

Internal Audit External Audit

• Performed by an organization’s • Performed by third-party auditors

internal staff
• Reports are intended for third-party
• Reports are typically intended for an stakeholders
internal audience
• They are unaware of the internal
• The disadvantage are: dynamic and politics, hence they may
not have any hidden agendas
o Conflict of interest
• Major disadvantage is the cost
o Hidden agenda
• Signing an NDA is a prerequisite
 Internal and Third-Party Audits

Most regulations mandate an audit, which is an evidence gathering process.

There are three types of audits:

First-party Second-party
• Internal audit for and by
the organization itself External audit done by
customers, regulators, or any
• Used to confirm or
external party with a formal
improve the effectiveness
interest in an organization
of management systems

Third-party
External audit performed by
independent organizations
such as registrars (certification
bodies) or regulators
 Audit Strategy

• A clear set of goals should be established.

Audit • The scope of the audit should be determined in coordination with business unit
strategies: managers.
• The business unit managers should be included early in the audit planning process and
should be engaged throughout the audit life cycle.

Audit can be • Compliance requirements

driven by the • Significant changes to the architecture
following
factors: • New developments in the threat the organization is facing
 Audit Process

The audit process typically happens as described below:

Involving stakeholders Audit team

• Bring in business unit
01 managers at the earliest
stage possible
• Ensure the business
needs are identified and
addressed
• Choose the right audit team
03
• Choose whether the team will
consist of internal or external
personnel depending on the
goals, scope, budget, and
available expertise

Goal Scope
Determine the goal Determine the scope
of the audit of the assessment

02 04
 Audit Process

05
Conduct the audit
Stick to the plan and
document deviations
07 Communicate
Communicate to the right
leaders in order to achieve
and sustain a strong
security posture

Plan the audit Documentation

Ensure all goals are met • Document the results
on time and are in the
budget • Documentation should
06 start at the beginning 08
of the planning
process and continue
all the way to the
results
 Elements of a Finding

The results of the audit have five elements in them, namely:

Effect
The difference between Recommendation
04 05 Action that must be taken
and significance of the
condition and the criteria to correct the cause

Criteria
Cause
Standards used to measure
02 03 Explanation of why a
the activity or performance
problem occurred
of the auditee

Condition
01 Statement that describes
the results of the audit
 Assessments

An assessment is an evaluation of controls to meet management expectations.

Formal assessments are performed by independent

assessors using procedures dictated by the relevant
compliance standards.

The scope of the assessment is driven by compliance

requirements such as GDPR, Sarbanes-Oxley Act or the Health
Insurance Portability and Accountability Act (HIPAA).

The scope of the assessment and its reporting is determined

by management.

Informal assessments might be performed by internal accessors

and relies on documented and established organizational
processes to improve controls effectiveness and efficiency.
 SOC Reports and Security Assessments

SOC Reports are designed to help service

organizations, and organizations that operate
information systems and provide information
system services to other entities, build customer
trust and confidence in their service delivery
processes and controls through a report by an
independent Certified Public Accountant (CPA).

SOC reports are a series of accounting standards

that measure the control of financial information
for a service organization.
 SOC Reports and Security Assessments

Each of the following types of SOC report is designed to help service organizations meet
specific user needs:

SOC 3 Report

SOC 2 Report

SOC 1 Report
 SOC 1 Report

The report on controls at a service organization relevant to user entities’ internal control over financial
reporting is prepared according to the Statement on Standards for Attestation Engagements (SSAE) 18
and is an enhancement to the previous standard for Reporting on Controls, the SAS 70.

There are two types of reports:

Type 1: Evaluates and reports Type 2: Includes the design and testing
on the design of controls put of controls to report on their
into operation on a certain date operational effectiveness over a period
(typically six months)

Use of these reports is restricted to the management of the service organization,

user entities, and user auditors.
 SOC 2 Report

This is a report on controls at a service organization relevant to security, availability, processing integrity,
confidentiality, or privacy. An SOC 2 report has the same options as the SSAE 16 report where a service
organization can decide to go under a Type 1 or Type 2 audit. The criteria for these engagements are
contained in the Trust Services Principles Criteria and Illustrations.

There are two types of reports:

Type 1: Report on Type 2: Report on management’s

management’s description of a description of a service organization’s
service organization’s system system and the suitability of the design
and the suitability of the design and operating effectiveness of controls
of controls

Use of these reports is generally restricted and is at the discretion of the auditor
using the guidance outlined in the standard.
 SOC 2 Reports

SOC 2 is based on Trust Criteria modeled around four broad areas: Policies, Communications,
Procedures, and Monitoring. The Principles and Criteria are jointly set by the AICPA and Canadian CPAs.
The Trust Services Criteria are:

The system is protected against unauthorized access, use, or modification,

Security both physical and logical.

Availability The system is available for operation and use as committed to or agreed
upon.

Processing Integrity System processing is complete, valid, accurate, timely, and authorized.

Information designated as confidential is protected as committed to or

Confidentiality
agreed upon. It particularly applies to sensitive business information.

The system’s collection, use, retention, disclosure, and disposal of personal

Privacy
information meet commitments in any privacy notice and the GAPP.
 SOC 3 Report

• Trust services report for service organizations

is designed to meet the needs of users who
require assurance about the controls at a
service organization.
• These assurances affect the security,
availability, and processing integrity of the
systems used by a service organization to
process users’ information and the
confidentiality or privacy of that information.
• SOC 2 report is useful to users who do not
have the need for or the knowledge necessary
to make effective use of an SOC 2 Report, but
require the above mentioned assurances for
control at an organization.
• SOC 3 reports can be freely distributed.
 SOC 1, SOC 2, and SOC 3 Comparison

REPORT
PRUPOSE INTENDED USERS FOCUS ON EVALUATES
TYPE
Design internal Control
Audit of Financial Statements Internal controls
Operating effectiveness
SOC 1 Financial Auditors, Customers, relevant to Financial Type I Type II
of internal Control
Statements Related third parties Reporting
during review period
Operational controls Design internal Control
GRC
Management, regarding security, Operating effectiveness
Programs, Type I Type II
SOC 2 Regulators, Related availability, processing of internal Control
Oversight,
third parties integrity, confidentiality during review period
Due diligence
or privacy
Anyone with a need
Marketing or Design of controls
for confidence in Easy to read report on
SOC 3 General General related to SOC2
service organizations controls
purpose objectives
controls

Information source: https://accedere.io/soc-reporting-services.html

 Internal Audit and Assessment

The purpose of internal assessment is to determine if the security controls meet the
organization’s risk expectations.

The internal assessment can help the organization to:

Determine if the organization Increase staff awareness of

is meeting its own security Prepare for an external audit
security requirements
standards

Identify the gaps or areas Understand where

Identify areas for security
for improving the efficiency preventive or corrective
education or training needs
of operations action is needed
 Steps to Conduct Internal Assessment

Step 01 Step 02 Step 03 Step 04

Prepare and
Perform present Remediate
Create a charter findings
assessment assessment
report
 Charter

A charter is a formal document that defines the

purpose, authority, scope, responsibility, and
position of the people performing the
Authority
assessment.
• The charter must be approved by the senior
management. Charter
• Scoping the assessment is also the
responsibility of management. Scope Responsibility
 Scope of Assessment

The scope of the assessment will address physical, technical, and administrative controls, including
the people, processes, and technologies used to support the business. There are two kinds of
assessments based on the scope:

Vulnerability assessment Penetration test

• Vulnerability assessment is the • Penetration test is the evaluation of

process in which vulnerabilities in IT are system security in a realistic simulation
identified and the risks of these of an attacker who intends to break
vulnerabilities are evaluated. into a target system.
• Unlike a vulnerability assessment, a
penetration test not only identifies
likely weaknesses, but tries to exploit
the potential weakness.
 Assessment Report

• The assessment report should document the

process followed, observations, evidence,
findings, conclusions, and recommendations.
• The assessment report should be presented to
relevant levels of senior management.
• The exact format of the report will vary by
organization.
• The levels of details presented will vary by
various audiences.
• The report should contain sufficient evidence
to support the findings.
• The audit artifacts collected during the
assessment must be protected from alteration
or inappropriate disclosure.
 Remediation

The results of internal assessment may identify areas where corrective actions or improvement is
warranted.
• The timetable for remediation of the audit findings should be agreed upon.
• Issues identified should be prioritized and fixed during the assessment.
• Internal assessment should be subject to continual process improvement.

Plan of Action and Milestones (POAM) is a document that identifies tasks for remediation. It details
resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and
scheduled completion dates for the milestones.
 External Audit and Assessment

An audit is an assessment
performed by an independent Non-compliance could
third-party to demonstrate that result in fines, litigations,
the organization’s controls and limitations on business
practices meet a compliance activities, or other
standard. consequences.
 Types of Audits

The following diagram illustrates different types of audits.

Functionality
Functional audit IT governance alignment
Performance
IS Audit Internal controls effectiveness
Information systems security
Electronic devices Computer Forensic audit

Regulatory
3rd party service audit Compliance Audit
Industry-specific standards
Fraud audit Specialized Audit Types of Audits
Forensic audit
Financial Audit Financial records integrity

Operational efficiency Administrative Audit

Internal controls effectiveness
Operational Audit
Internal controls efficiency
Combine operational and
Integrated Audit
financial audits
Steps to Conduct an External Audit

Steps to conduct an external audit

Create an audit charter

Audit planning

Perform audit

Prepare and present audit report

 Audit Planning

Audit planning is an important activity for both internal and external audits.

• Gain an understanding of the clients and their business

• Establish priorities
An audit plan is a • Determine an audit strategy
project plan that
• Determine the type of evidence to collect based on the risk levels
will help the
auditor to: • Determine the skills required to examine and evaluate processes and
information systems
• Schedule with the client to coordinate activities

Information source: https://www.schools.utah.gov/file/1e864d3a-9cd5-4933-a2f2-5d6e2a4e4535

 Third-Party Audit and Assessment

Third-party audit and assessment evaluates the security

controls of the supply chains and service providers.
The third-party contract with a contractor or vendor must
contain a specific provision for the right to audit.

Supply chain security standards:

• ISO 28000
• UK NCSC (National Cyber Security Centre) Principles
 Principle of Supply Chain Security

There are four principles of supply chain security. They are explained below:

I. Understand the risks

• Understand what needs to be protected and why

• Know who your suppliers are and build an understanding of what their security looks like
• Understand the security risk posed by your supply chain

II. Establish control

• Communicate your view of security needs to your suppliers

• Set and communicate minimum security requirements for your suppliers
• Build security considerations into your contracting processes and require that your suppliers do
this as well
• Meet your own security responsibilities as a supplier and consumer
• Raise awareness of security within your supply chain
• Provide support for security incidents
Information source: https://www.ncsc.gov.uk/collection/supply-chain-security/principles-supply-chain-security
 Principle of Supply Chain Security

There are four principles of supply chain security. They are explained below:

III. Check your arrangements

• Build assurance activities into your approach to managing your supply chain

IV. Continuous improvement

• Encourage the continuous improvement of security within your supply chain

• Build trust with suppliers

Information source: https://www.ncsc.gov.uk/collection/supply-chain-security/principles-supply-chain-security

 Testing

Substantive testing (test

Compliance testing (test of
of details): Substantive
controls): Compliance
testing evaluates the
testing determines whether
accuracy and integrity of
controls follow management
individual transactions,
policies and procedures.
data, or other information.

Presence of adequate internal controls (established through compliance testing)

minimizes the number of substantive tests that must be done.
Conduct Security Control Testing

Vulnerability
A vulnerability is defined in the
ISO 27002 standard as a
weakness of an asset or a group
of assets that can be exploited
by one or more threats
(International Organization for
Standardization, 2005).
Vulnerability Assessment
Vulnerability assessment
It is the process in which
vulnerabilities in IT are identified
and the risks of these
vulnerabilities are evaluated.
Vulnerability
assessment objectives
The main objective of a
vulnerability management
process is to detect and
remediate vulnerabilities in a
timely fashion.
 Vulnerability Assessment

The vulnerability assessment steps are:

Identify the assets Identify vulnerabilities Define and implement ways to

or resources in or potential threats minimize the consequences if
to each resource an attack does occur
1 3 5

2 4
Assign a quantifiable Develop a strategy to
level of importance to mitigate or eliminate the
the resources identified most serious vulnerabilities
of the most valuable
resources
 Types of Vulnerability Assessments

The three types of vulnerability assessments are:

Personnel • Identifying vulnerabilities in standard employee practices and demonstrating

testing social engineering attacks

Physical • Reviewing facility and perimeter protection mechanisms

testing • Performing physical security vulnerability assessments

• Assessing the system using:

System and o Network discovery scan
network
testing o Network vulnerability assessment
o Web application vulnerability scan
 Network Discovery Scan

Network discovery
Network scan
discovery scan ToolsTools commonly
commonly usedused

• They search for systems with • NMAP

open ports.
• Angry IP Scanner
• They do not probe systems for
vulnerabilities.
 Network Discovery Scan

There are four network discovery scan techniques:

TCP connect
TCP SYN scanning TCP ACK scanning Xmas scanning
scanning

• Sends a single packet • Opens a full • Sends a packet with • Sends a packet with
to each scanned port connection to a the ACK flag set, the FIN, PSH, and
with the SYN packet remote system on indicating that it is URG flags set
set the specified port part of an open
• If it receives a • Used when the user connection
response with SYN running the scan
and ACK flags set, does not have
this indicates the necessary
port is open at the permissions to run a
sender’s end half-open scan
• This is also called
half-open scanning
 Network Vulnerability Scan

Two common problems Network vulnerability scan

• False-positive: Reporting a vulnerability • It goes deeper than the discovery scan.

without having substantial evidence to
• It continues to probe the network for the
prove it or reporting by mistake, leading
presence of known vulnerabilities.
to a nuisance
• The tools contain a database of known
• False-negative: Not identifying a
vulnerabilities along with the tests they
vulnerability and failing to report it as a
can perform to identify these
part of the results, leading to a
vulnerabilities.
dangerous situation
 Network Vulnerability Scan

Unauthenticated or noncredentialed scan:

• It is the process of exploring a network or a networked
system for vulnerabilities that are accessible without
logging in as an authorized user.
• It inspects the security of a target system from an
outsider’s perspective.

Authenticated or credentialed scan:

• It is a method in which vulnerability testing is performed
as a logged in or authenticated user.
• Authenticated scans help reduce the false-positive or
false-negative results. Types of scans
• Authenticated scans are performed with read-only access
to the servers being scanned.
 Network Vulnerability Scan

• Tenable Nessus, OpenVAS, Microsoft Baseline Security

Analyzer (MBSA), and Retina Network Scanner Community
Edition

Tools used
 Web Vulnerability Scan

Web vulnerability scan

• The process of testing, analyzing, and reporting on the security

level and posture of a Web application
• Uses special purpose scanners that analyze Web applications for
known vulnerabilities
• Can discover vulnerabilities not visible to network vulnerability
scanners
 Web Vulnerability Scan

Ideal scenarios

• Scanning all applications for the first time

• Scanning any new application before moving to production
• Scanning any modified application before it moves to production
• Scanning all applications on a scheduled and recurring basis
Web Vulnerability Scan: Tools

Web application scanners

• Acunetix, QualysGuard, and Burp Suite

 Penetration Testing

• Penetration testing, also called pen testing or ethical hacking, is

the practice of testing a computer system, network, or Web
application to find security vulnerabilities that an attacker could
exploit.
• Penetration testing is the process of determining the true
nature and impact of a given vulnerability by exploiting existing
vulnerabilities.
• Considered to be the next level in vulnerability assessments, it
simulates an actual attack and is also known as ethical hacking,
red teaming, tiger teaming, or vulnerability testing.
Penetration testing:
• Its goal is to measure an organization’s level of resistance to an
attack and to uncover any weaknesses within the environment.
 Penetration Testing: Tools

• Metasploit, Kali Linux, and Aircrack-ng

Penetration testing tools:

Discussion
 Discussion

A penetration test is considered a realistic emulation of an attacker who

intends to break into the target system.
1. What could the organization do to ensure that the penetration tester does
not disclose the sensitive or proprietary data during the test in an
unauthorized manner?
2. What could the tester do to protect themselves from the legal implications
of penetration testing which is technically similar to a real attack?
 Penetration Testing Process

Phases of penetration testing:

Enumeration Exploitation
Performing port scans Attempting to gain
and resource unauthorized access by
identification methods exploiting vulnerabilities

Discovery Vulnerability mapping Reporting

Footprinting and Identifying vulnerabilities Reporting the findings to
gathering information in the systems and the management
about the target resources
 Penetration or Vulnerability Testing Types

Black-box testing (zero

knowledge)

White-box testing (full

knowledge)
• The tester has no prior knowledge of the internal design or
Gray-box testing (partial features of the system.
knowledge)
• It is the most accurate method to simulate an external attacker.

Blind tests • It will probably not detect all vulnerabilities.

• The testing team may inadvertently impact another system.

Double blind types

Targeted
 Penetration or Vulnerability Testing Types

Black-box testing (zero

knowledge)

White-box testing (full

knowledge)
• The tester has complete knowledge of the internal system.
Gray-box testing (partial • It allows the test team to target specific internal controls and
knowledge)
features.

Blind tests • It may yield a more complete result.

• It may not be representative of an external hacker.
Double blind types

Targeted
 Penetration or Vulnerability Testing Types

Black-box testing (zero

knowledge)

White-box testing (full

knowledge)
• Some information about internal working is given to the tester.
Gray-box testing (partial
knowledge) • It helps guide their tactics toward areas that need to be thoroughly
tested.
Blind tests
• This approach mitigates the risks of the other two models.

Double blind types

Targeted
 Penetration or Vulnerability Testing Types

Black-box testing (zero

knowledge)

White-box testing (full

knowledge)

Gray-box testing (partial • The tester only has publicly available data to work with.
knowledge)
• The network security team has prior knowledge of this test to

Blind tests defend against an attack.

Double blind types

Targeted
 Penetration or Vulnerability Testing Types

Black-box testing (zero

knowledge)

White-box testing (full

knowledge) • It is also known as stealth assessment.

Gray-box testing (partial • It is a blind test to both the tester as well as the security team.
knowledge) • It is used to evaluate the security levels and responses of the
security team.
Blind tests
• It is a realistic demonstration of the likely success or failure of an
attack.
Double blind types

Targeted
 Penetration or Vulnerability Testing Types

Black-box testing (zero

knowledge)

White-box testing (full

knowledge)

Gray-box testing (partial

knowledge) • It involves external and internal parties carrying out a focused
test on specific areas of interest.
Blind tests

Double blind types

Targeted
 Log Management and Review

In IT, an event log is a basic resource that helps

provide information about network traffic, system
traffic, and other conditions.

An event log stores these data for retrieval by security

professionals or automated security systems to help IT
administrators manage various aspects such as security,
performance, and transparency.

Apart from records related to computer security, logs

are generated from many other sources such as
antivirus software, firewalls, intrusion detection, and
prevention systems.
 Log Management and Review

Log management is the collective processes and policies used to administer and facilitate the
generation, transmission, analysis, storage, archiving, and ultimate disposal of the large volumes of
log data created within an information system.

System logs are examined to Key requirement for an NTP is the protocol for
detect security events or verify effective log review is the time time synchronization
effectiveness of security synchronization across all the (UDP 123).
controls. log sources.
 Log Management Phases

Log management is done in the following steps:

Log generation Log transmission Log storage Log analysis Log disposal

Logs are After the logs

Logs are Logs are Logs are stored analyzed to
generated from transmitted to securely in have lived their
detect some life cycles, they
different some separate some incidents or for
devices and storage or log centralized log are disposed
a forensics securely.
systems. server. server. purpose.
 Log Tampering Prevention

It is vital to maintain the integrity of log data. Here are the methods to prevent it from being tampered:

Remote Putting a log file into another device will protect it from being tampered with in a
Logging compromised system

• Using a one-way communication between the reporting devices and the

Simplex
Communication central log repository
• Accomplished by severing the receive pairs on an ethernet cable

Replication Making multiple copies and keeping them in different locations

Write-Once
Using write-once media to prevent unauthorized modifications to log files
Media

Cryptographic
Powerful technique for ensuring unauthorized modifications are easily noticed
Hash
 Log Management: Advantages and Challenges

Advantages Challenges

• Confidentiality, integrity, and availability • Managing large quantities of logs from

of logs various sources
• Forensic investigations • Discrepancies in log content,
• Auditing timestamps, and formats
• Identifying security incidents
• Identifying fraud
• Identifying operational issues
• Establishing baselines
 Log Management: Best Practices

The best practices for log management are:

• Establish log management policies and

procedures
• Prioritize requirements for log management
process
• Define roles and responsibilities
• Create and maintain log management
infrastructure
• Support the staff responsible for log
management
 Real Transaction and Synthetic Transaction

Real Transaction

• Transactions that are initiated by an end-user are

called real transactions.

Synthetic Transaction

• Automatic script-based transaction with an expected

output is called a synthetic transaction.
• It allows to systematically test the behavior and
performance of critical services.
• It can help test a new service mimicking end-user
behavior to ensure the systems work as they should.
• This is an effective way of testing the software from
outside.
 Real User Monitoring vs. Synthetic Transactions
Real User
Real Monitoring (RUM)(RUM)
User Monitoring
• RUM is a passive monitoring technology
which determines if users are being served
correctly and quickly.
• It records all user interaction with a website
or client interaction with a cloud-based
application or server.
• It accurately captures the actual user
experience.
• It tends to produce noisy data and thus may
require more back-end analysis.
• It lacks the elements of predictability and
regularity, which could mean that a problem
won't be detected during low utilization
periods.
Synthetic
Synthetic Transaction
Transaction
• Actions performed on monitored objects in
real time are called synthetic transactions.
• Synthetic performance monitoring is proactive
and involves external agents running scripted
transactions against a web application.
• In synthetic transactions, real user sessions
are not tracked.
• Some of the tools used are Microsoft System
Center Operations Manager, Foglight
Transaction Recorder.
• Some examples of functionalities are monitor
websites, databases, and TCP ports.
 Security Testing in the SDLC

Plan and Design Application Development

• Architecture • Manual code review
01
security review
• Static Source Code Analysis
• Threat modeling
• Manual binary review
• Static binary review
analysis
04
02

Operations and Maintenance Testing

• Security testing of patches • Vulnerability assessment scanning
03
• White box testing or code- • Manual and automated
based testing penetration testing
• Black box testing • Fuzzing
 Testing Techniques

Testing can be:

Manual Automatic

Black box AND White box

Static Dynamic

Conducting a test requires understanding of:

• Type of application
• Attack surface
• Technologies supported
• Quality of results and usability
• Performance
• Resource utilization
 Software Product Testing Levels

The different levels of product testing are:

Unit level Integration level System level

• Tests individual units or
components of a software
or system
• Helps validate that each
unit of the software
performs as designed
• Combines individual units
and tests them as a group
• Helps expose faults in the
interaction between
integrated units
• Tests complete, integrated
system, or software
• Helps evaluate the
system’s compliance with
the specified requirements
 Software Testing Levels

There are five software testing levels. They are:

Integration
Unit Testing
Testing

Regression Testing System Testing

User Acceptance
Testing
 Code Review and Testing

• Code review is a systematic examination of instructions that

comprise a piece of software performed by someone other
than the author of that code.
• It is the foundation of software assessment programs.
• It is often known as peer reviews.
• It starts with the organization setting the coding standards to
be followed.
• The preliminary step to code review is to ensure the
developer followed the defined coding standard.
• After this step, the reviewer will check for functions which are AUTHOR REVIEWER
not needed or procedures that may lead to a code bloat which
makes it harder to maintain and secure the application.
TEAM
REPOSITORY
• A coding error can make a system vulnerable and
compromise its security entirely. Security must be included in
all the phases of the Software Development Life Cycle (SDLC).
 Code Review and Testing

Software vulnerabilities are mainly caused by:

Logical flaws Insufficient checking of

parameters

Functional bugs Bad programming

Misconfiguration
 Fagan Code Review Process

• Fagan inspection is a process of trying to find defects in documents such as the source code
or formal specifications during various phases of the software development process.
• It is named after Michael Fagan who is credited with being the inventor of formal software
inspections.
• This level of formality is normally found only in highly restrictive environments where code
flaws may have a catastrophic impact.

Fagan Code Review Phases

Planning Overview Preparation Inspection Rework Follow-up

 Testing Methods

Static Testing

• It evaluates the security of a software without running it.

• It usually involves the use of automated tools designed to

detect common software flaws such as buffer overflows.

• In mature development environments, developers are given

access to static analysis tools to use them throughout the
design, build, and test processes.

• It helps developers identify programming flaws and

vulnerabilities.
Static Testing
• Static analysis can never reveal logical errors and design flaws.
 Testing Methods

Dynamic Testing

• It evaluates security of software in a runtime environment

and is often the only option for organizations deploying
applications by someone else.

• Sometimes, testers do not have access to the source code.

• Dynamic testing can involve the use of synthetic testing.

• It is effective for compatibility tests, detect memory leakages,

identify dependencies, and analyze software without having
to access the software’s actual source code. Dynamic Testing
 Dynamic Testing Methods

Fuzz testing is a specialized dynamic testing technique that provides different inputs to software to
stress their limits and find previously unknown flaws.

Mutation (Dumb) Fuzzing

Mutation (Dumb) Fuzzing Generational (Intelligent) Fuzzing

• Takes previous input values from
actual operations of the software
and manipulates them to create
fuzzed input
• Might alter the characters of the
content and append strings
• Example: ZZUF tool automates the
process of mutation fuzzing
• Develops data models and creates
new fuzzed input based on an
understanding of the types of data
used by the program
• Example: Peach Fuzzing Platform
 Use Case Testing or Positive Testing

Use Case Testing or Positive Testing Online Shopping System

• A use case describes the sequence of View Items

<<service>>
Authentication
actions between the user and the system
that result in an expected output. <<include>>

Make
• Use cases are textual but are graphically purchase
represented using the Unified Modeling <<include>>
Identity Provider

Language (UML).
Complete
• Use cases are related to one another in a Customer Checkout

variety of ways called associations. Credit Payment Service

• Use cases are mainly helpful in Log in

determining the normal or expected
behavior of a system rather than in
PayPal
assessing its security.
 Misuse Case or Abuse Case Testing

• Misuse case is a use case that includes threat actors and the actions they want to perform on a
system.

• Under UML, threat actors are represented as stick figures with shaded heads and their actions
are depicted as shaded ovals.

• The misuse case is meant to threaten a specific portion or an illegitimate use case of the system.

• Misuse case testing helps to ensure one has effectively addressed each of the risks identified and
has decided to mitigate them during the risk assessment phase.

• A misuse case doesn’t require including all the possible threats to the system, but it should
include the ones which had to be addressed.

• Misuse cases are used by software developers to evaluate the vulnerability of their software to
known risks.
 Misuse Case or Abuse Case Testing

Misuse case testing scenarios

Allowed data limits Populating the

Reasonable data
and bounds required fields

Correspondence
Allowed number of between data and
Web session testing
characters field types
 Use Case vs. Misuse Case

Use Case Misuse Case or Abuse Case

Use Case
• System is verified using valid forms of • System is verified against invalid input data
input data
• Used to detect situations such as
• Used to test whether the application unexpected user behavior or invalid input
works as expected and prevent applications from crashing
• Test fails if an error is encountered • Finds application’s weak points and helps
during testing to improve its quality
 Test Coverage Analysis

Test coverage involves a set of test cases written against the requirement specification.

• Test groups may refer to a percentage of the test cases that were run, passed, or failed.
• These are referred to as test coverage metrics.
• QA groups often use test coverage to implement test metrics according to the test plan.
• It is practically impossible to completely test a software.
• Testing professionals conduct test coverage analysis to estimate the degree of testing
conducted against the new software.

It is computed using the formula:

Test coverage = the number of use cases tested or total number of use cases
This is a highly subjective calculation.
 Code Coverage Analysis

Code coverage refers to how well the test set is covering the source code. That is, to what extent is the
source code covered by the set of test cases.

Different functionalities to be tested during code coverage:

• Condition coverage: All Boolean expressions to be evaluated for true and false
• Decision coverage: Not just Boolean expressions to be evaluated for true and false but to cover
all subsequent if-else body
• Loop coverage: Every possible loop has been executed one time, more than once, and zero times
• Entry and exit coverage: Test for all possible calls and their return value
• Parameter Value Coverage (PVC): Check if all possible values for a parameter are tested
• Inheritance coverage: In case of an object-oriented source, when returning a derived object
referred by base class, the coverage should be evaluated to check if the sibling object is returned
 Interface Testing

An interface is an exchange point of data between the system and the user.

• It is performed to check if the different components of

the application or system being developed are passing
data and control correctly to one another. API Testing
• It helps to verify if all the interactions between
components work correctly, check if errors are handled Types of
appropriately, and ensure high quality of software User Interface
interface Testing
products. testing

• The testing should include known good and bad Physical

exchanges. Interface
• It is a systematic evaluation of a given set of exchange
points.
• Both testing and development teams perform this test.
 Types of Interface Testing

• Offers a standard way for code modules to interact and be exposed

Application
Programming to the outside world
Interface (API)
• Needs to be tested by developers to ensure they enforce all security
requirements

• Graphical user interface and command-line interfaces that provide

User Interface end-users with the ability to interact with the software
(UIs)
• Test should include reviews of all user interfaces to verify that they
function properly

• Exist in some applications that manipulate machinery and logic

Physical controllers
Interfaces
• Testers should pay careful attention to physical interfaces because
of the potential consequences that might occur if they fail
 Breach Attack Simulations

Gartner defines Breach and attack Simulation (BAS) as tools “that allow enterprises to
continually and consistently simulate the full attack cycle (including insider threats, lateral
movement and data exfiltration) against enterprise infrastructure, using software agents, virtual
machines, and other means”.

BAS testing mimics real-world attack scenarios to help organizations test and measure the
effectiveness of their security controls and staff.
Key capabilities and functions of BAS:
• Can be deployed on-premise or on cloud
• Provides continuous, on-demand, or periodic testing
• Covers all phases of an attack, from pre-exploitation to post-exploitation, persistence,
and maintaining access
• Includes testing for both perimeter and internal security controls
• Comprehensive reports include recommendations for mitigation
 Compliance Checks

Compliance checking is the process

of review and analysis of the Regulatory compliances
implemented controls to check include PCI-DSS, FISMA, GLBA,
whether the implemented controls SOX, ISO 27001, and HIPAA.
follow regulations, laws, and policies.
Collect Security Process Data
 Account Management

Account management involves provisioning, deprovisioning, and

periodic reviews of user accounts, access rights, and privileges of
employees and vendors.

This data collection also includes verification of the account

provisioning process along with the verification of the accounts’
privileges.

Accounts should be processed through a comprehensive verification

mechanism, which includes an authorized sign-off from the
management and other assurance techniques.
 Account Management

Deprovisioning of accounts Deprovisioning should

should also pass through an include access removal in the
appropriate process based case of an employee leaving
on the organization’s the company, account
requirements. adjustments in the case of
change in designations, and a
review of the accesses given
to individuals.
 Management Review and Approval

“Top management shall review the organization’s

information security management system (ISMS) at
planned intervals to ensure its continuing suitability,
adequacy, and effectiveness.”
~ ISO 27001:2013 Management review
 Key Performance Indicators (KPIs)

It is a process by which
the performance of ISO 27004 deals with KPI
security controls and metrics.
processes is measured.

KPIs should be understandable to both

business and technical audiences and
should be aligned with one or more
organizational goals.
 Key Terms Associated with KPI

These are some of the important terms associated with KPI:

• An attribute of the ISMS that can be described as a

value that can change over time
Factor
• Example: Several AV alerts or a few investigations
conducted

• The value of a factor at a particular point in time

Measurement • This is the raw data
• Example: 20 AV alerts per day or 15 investigations per
month

• An arbitrary value for a factor that provides a point of

reference or denotes that some condition is met by
achieving some threshold value
Baseline
• Example: The number of AV alerts per month will not
be more than 25 or the number of investigations open
for more than 48 hours should not be more than 10
 Key Terms Associated with KPI

• A desired value that is generated by comparing various

results with each other or with the baseline
Metric
• Example: The ratio of false-positive AV alerts to valid
alerts per month

• An interpretation of one or more metrics that

Indicator describes the effectiveness of an element of the ISMS
• Indicators are meaningful to management
 KPI Process

A KPI process includes:

• Choosing the factors that can show the state

of security
• Defining baselines for some or all factors
under consideration

• Developing a plan for periodically capturing

the values of these factors

• Analyzing and interpreting the data

• Communicating the indicators to all

stakeholders
 Key Risk Indicator (KRI)

• KRIs indicate where an organization is in

relation to its risk appetite.
• They measure how risky an activity is so that
leadership can make informed decisions about
the activity.
• KRIs are selected for their impact on the
decisions of the senior leaders in an
organization.
• It is useful to relate them to SLE equations.
• KRI's alert the organization when an
unfavorable situation might arise, which allows
the organization to plan for these situations.
 Key Performance and Risk Indicators
Key performance indicator
• A key performance indicator
(KPI) measures how well
something is being done.
• Some parameters used as KPIs
are cost adherence, schedule
adherence, and project effort
adherence.
Key risk indicator
• Key risk indicator (KRI) is a
measure used in management
to indicate how risky an activity
is or the possibility of an
adverse impact in the future.
• KRIs use mathematical formulas
or models to give an early
warning of a potential event that
may harm the continuity of the
activity or project.
 Backup Verification Data

• IT contingency plans should include a

method for conducting data backups
frequently.
• Periodic backups can be scheduled via an
automated backup management system or
an automated job scheduling software.

• The stored data should be routinely tested

to validate the backed-up data’s integrity.
 Security Education Training and Awareness

• SETA is the process of informing employees about

security best practices.

• The goals of security awareness programs are to

reduce risks by addressing the behavioral element
of security through education and consistent
application of awareness techniques.

• Security awareness programs should focus on

common user security concerns such as password
selection, appropriate use of computing resources,
and social engineering attacks.

• Security programs should be tailored to the target

audience.
Analyze Test Output and Generate Report
 Remediation

Continuously monitoring an organization’s security posture is a good start in building a mature

security program.

Organizations should try to adopt a continuous process improvement model, such as the Deming
(PDCA) cycle, to improve their security posture.

The principles for continuous improvement of cybersecurity are:

• Make small changes to yield significant

improvements
• Seek employees’ feedback to identify
opportunities for improvements
• Empower employees to take ownership for
improvements
• Identify key metrics to measure improvements
 Exception Handling

Exceptions to any information

The exception should be
security policies or procedures
approved or denied after
should be documented,
carefully reviewing the request.
authorized, and reviewed.

An exception request should be

made by the related individual
to the security management
with proper justification.
 Ethical Disclosure

Nondisclosure is the practice of containing the vulnerability

and its existence from the general public due to
nondisclosure or other contractual agreements.
 Ethical Disclosure

• Full disclosure is the practice of publishing analyses of

software vulnerabilities as soon as possible to all potentially
affected organizations.

• The primary purpose of disclosing information about

vulnerabilities is so that organizations at risk can take
appropriate actions to protect themselves.
 Ethical Disclosure

Responsible disclosure is the practice of reporting a

vulnerability to the vendor and allowing them some time to
fix the vulnerability before informing the public.
 Ethical Disclosure

Mandatory reporting is when the law requires one to

report known or suspected cases of fraud, data breaches,
and computer crimes to the relevant authorities.
 Ethical Disclosure

Whistleblowing is the act of notifying senior management,

industry regulators, government authorities, or the general
public regarding any breaches, unethical actions, and illegal
behaviors of their employer.
 Real World Scenario

Google’s Project Zero is a team of dedicated security analysts tasked with finding zero-day
vulnerabilities. Project Zero was announced on July 15, 2014, on Google's security blog.

Project Zero has been responsible for identifying serious security flaws such as Meltdown and
Spectre.

Bugs found by the Project Zero team are reported to the vendor and made publicly available only
after 90 days from the day the bug is discovered.

If the vulnerabilities are patched within 90 days, technical details are disclosed 30 days after the
release of a fix to give users time to install the patch.

The 90-day deadline is Google's way of implementing responsible disclosure, giving vendors 90 days
to fix a problem before informing the public so that users themselves can take the necessary steps
to avoid attacks.

Information source: https://googleprojectzero.blogspot.com/2021/04/policy-and-disclosure-2021-edition.html

And
https://github.com/googleprojectzero
 Key Takeaways

Security assessment and testing maintain a system’s ability to deliver

its intended functionality securely by evaluating the information
assets and associated infrastructure.

Various tools and techniques are used to identify and mitigate risks
due to design flaws, architectural issues, hardware and software
vulnerabilities, coding errors, and other weaknesses.

Security policies and procedures are uniformly and

continuously applied.

The security professional should be capable of validating

assessment, testing strategies, and carrying out those
strategies using various techniques.

In the absence of careful analysis and reporting of

assessment results, security assessments and testing
have little value.
 This concludes Security Assessment and Testing.

The next domain is Security Operations.

CISSP® is a registered trademark of (ISC)²®