Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSCE 548 Secure Software Development Penetration Testing.

Published byHarvey Ira Morgan Modified over 7 years ago

Similar presentations

Presentation on theme: "CSCE 548 Secure Software Development Penetration Testing."— Presentation transcript:

1 CSCE 548 Secure Software Development Penetration Testing

2 CSCE 548 - Farkas2 Reading This lecture: – Penetration Testing, McGraw: Chapter 6 Next lecture: – Risk-Based Security Testing, McGraw: Chapter 7

3 CSCE 548 - Farkas3 Application of Touchpoints Requirement and Use cases Architecture and Design Test Plans Code Tests and Test Results Feedback from the Field 5. Abuse cases 6. Security Requirements 2. Risk Analysis External Review 4. Risk-Based Security Tests 1. Code Review (Tools) 2. Risk Analysis 3. Penetration Testing 7. Security Operations

4 CSCE 548 - Farkas4 Software Testing Application fulfills functional requirements Dynamic, functional tests late in the SDLC Contextual information

5 CSCE 548 - Farkas5 Security Testing Look for unexpected but intentional misuse of the system Must test for all potential misuse types using – Architectural risk analysis results – Abuse cases Verify that – All intended security features work (white hat) – Intentional attacks cannot compromise the system (black hat)

6 CSCE 548 - Farkas6 Penetration Testing Testing for negative – what must not exist in the system Difficult – how to prove “non-existence” If penetration testing does not find errors than – Can conclude that under the given circumstances no security faults occurred – Little assurance that application is immune to attacks Feel-good exercise

7 CSCE 548 - Farkas7 Penetration Testing Today Often performed Applied to finished products Outside  in approach Late SDLC activity Limitation: too little, too late

8 CSCE 548 - Farkas8 Late-Lifecycle Testing Limitations: – Design and coding errors are too late to discover – Higher cost than earlier designs-level detection – Options to remedy discovered flaws are constrained by both time and budget Advantages: evaluate the system in its final operating environment

9 CSCE 548 - Farkas9 Success of Penetration Testing Depends on skill, knowledge, and experience of the tester Important! Result interpretation Disadvantages of penetration testing: – Often used as an excuse to declare victory and go home – Everyone looks good after negative testing results

10 CSCE 548 - Farkas10 Determine Objective and Scope of Testing!

11 CSCE 548 - Farkas11 Testing Process External Testing: across the internet. – Simulate attacker’s environment – Gathering information related to remote access, IP addresses, open ports, allowed services, etc. – Tools to support Internal Testing: onsite. View of the system behind the external perimeters – Software penetration testing tools – Attempt to exploit vulnerabilities

12 CSCE 548 - Farkas12 Testing Activities Scoping: assessing target system Discovery: building information about the system – Offline and online activities Vulnerability scanning: testing system components Target penetration: within testing parameters Analysis: of results of previous stages Reporting: detailed findings and recommendations

13 CSCE 548 - Farkas13 Software Penetration Testing Marketing, managerial, industry production line, etc. Needs tools Test more than once Need knowledge of risk analysis Feedback to real life progress.

14 CSCE 548 - Farkas14 Testing and Application Context Organizations: How to update legacy systems with security capabilities Application specific risk.

15 CSCE 548 - Farkas15 Is Penetration Testing Worth it? Schneier, http://schneier.com/blog/archives/2007/05/is_penetrati on.html http://schneier.com/blog/archives/2007/05/is_penetrati on.html Opinions: – Penetration testing is essential for network security – Penetration testing is a waste of time and money What is the goal of penetration testing? Finding too much vulnerabilities – how to fix them all? Useful penetration testing: – Find vulnerabilities you’re going to fix – Pursue managers to invest in security

16 CSCE 548 - Farkas16 Next Class Risk-Based Security Testing

Download ppt "CSCE 548 Secure Software Development Penetration Testing."

Similar presentations

CSCE 522 Building Secure Software. CSCE 548 - Farkas2 Reading This lecture – McGraw: Ch. 3 – G. McGraw, Software Security,

CSCE 522 Building Secure Software. CSCE Farkas2 Reading This lecture – McGraw: Ch. 3 – G. McGraw, Software Security,
A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.

A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
Secure Software Development Security Operations Chapter 9 Rasool Jalili & M.S. Dousti Dept. of Computer Engineering Fall 2010.

Secure Software Development Security Operations Chapter 9 Rasool Jalili & M.S. Dousti Dept. of Computer Engineering Fall 2010.
1 Software Testing and Quality Assurance Lecture 14 - Planning for Testing (Chapter 3, A Practical Guide to Testing Object- Oriented Software)

1 Software Testing and Quality Assurance Lecture 14 - Planning for Testing (Chapter 3, A Practical Guide to Testing Object- Oriented Software)
Comp 8130 Presentation Security Testing Group Members: U4266680 Hui Chen U4242754 Ming Chen U4266538 Xiaobin Wang.

Comp 8130 Presentation Security Testing Group Members: U Hui Chen U Ming Chen U Xiaobin Wang.
Software Testing Name: Madam Currie Course: Swen5431 Semester: Summer 2K.

Software Testing Name: Madam Currie Course: Swen5431 Semester: Summer 2K.
1 Presentation ISS Security Scanner & Retina by Adnan Khairi 100183586.

1 Presentation ISS Security Scanner & Retina by Adnan Khairi
Vulnerability Assessment Course Terms, Methodology, Preparation, Obstacles, and Pitfalls.

Vulnerability Assessment Course Terms, Methodology, Preparation, Obstacles, and Pitfalls.
VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.

VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.
Penetration Testing Edmund Whitehead Rayce West. Introduction - Definition of Penetration Testing - Who needs Penetration Testing? - Penetration Testing.

Penetration Testing Edmund Whitehead Rayce West. Introduction - Definition of Penetration Testing - Who needs Penetration Testing? - Penetration Testing.
Performing a Penetration Test.  Penetration Tester  Attempts to reveal potential consequences of a real attack  Security Audit / Vulnerability Assessment.

Performing a Penetration Test.  Penetration Tester  Attempts to reveal potential consequences of a real attack  Security Audit / Vulnerability Assessment.
 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,

 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Secure Software Development SW Penetration Testing Chapter 6 Rasool Jalili & M.S. Dousti Dept. of Computer Engineering Fall 2010.

Secure Software Development SW Penetration Testing Chapter 6 Rasool Jalili & M.S. Dousti Dept. of Computer Engineering Fall 2010.
CSCE 548 Secure Software Development Risk-Based Security Testing.

CSCE 548 Secure Software Development Risk-Based Security Testing.
Secure Software Development Risk-Based Security Testing Chapter 7 Rasool Jalili & A. Boorghani Dept. of Computer Engineering Spring 2012.

Secure Software Development Risk-Based Security Testing Chapter 7 Rasool Jalili & A. Boorghani Dept. of Computer Engineering Spring 2012.
1 Software Testing (Part-II) Lecture 13. 2 Software Testing Software Testing is the process of finding the bugs in a software. It helps in Verifying and.

1 Software Testing (Part-II) Lecture Software Testing Software Testing is the process of finding the bugs in a software. It helps in Verifying and.
Chapter 1: Introduction to Software Testing Software Testing

Chapter 1: Introduction to Software Testing Software Testing

Similar presentations

Ads by Google