CSCE 548 Secure Software Development Penetration Testing
CSCE Farkas2 Reading This lecture: – Penetration Testing, McGraw: Chapter 6 Next lecture: – Risk-Based Security Testing, McGraw: Chapter 7
CSCE Farkas3 Application of Touchpoints Requirement and Use cases Architecture and Design Test Plans Code Tests and Test Results Feedback from the Field 5. Abuse cases 6. Security Requirements 2. Risk Analysis External Review 4. Risk-Based Security Tests 1. Code Review (Tools) 2. Risk Analysis 3. Penetration Testing 7. Security Operations
CSCE Farkas4 Software Testing Application fulfills functional requirements Dynamic, functional tests late in the SDLC Contextual information
CSCE Farkas5 Security Testing Look for unexpected but intentional misuse of the system Must test for all potential misuse types using – Architectural risk analysis results – Abuse cases Verify that – All intended security features work (white hat) – Intentional attacks cannot compromise the system (black hat)
CSCE Farkas6 Penetration Testing Testing for negative – what must not exist in the system Difficult – how to prove “non-existence” If penetration testing does not find errors than – Can conclude that under the given circumstances no security faults occurred – Little assurance that application is immune to attacks Feel-good exercise
CSCE Farkas7 Penetration Testing Today Often performed Applied to finished products Outside in approach Late SDLC activity Limitation: too little, too late
CSCE Farkas8 Late-Lifecycle Testing Limitations: – Design and coding errors are too late to discover – Higher cost than earlier designs-level detection – Options to remedy discovered flaws are constrained by both time and budget Advantages: evaluate the system in its final operating environment
CSCE Farkas9 Success of Penetration Testing Depends on skill, knowledge, and experience of the tester Important! Result interpretation Disadvantages of penetration testing: – Often used as an excuse to declare victory and go home – Everyone looks good after negative testing results
CSCE Farkas10 Determine Objective and Scope of Testing!
CSCE Farkas11 Testing Process External Testing: across the internet. – Simulate attacker’s environment – Gathering information related to remote access, IP addresses, open ports, allowed services, etc. – Tools to support Internal Testing: onsite. View of the system behind the external perimeters – Software penetration testing tools – Attempt to exploit vulnerabilities
CSCE Farkas12 Testing Activities Scoping: assessing target system Discovery: building information about the system – Offline and online activities Vulnerability scanning: testing system components Target penetration: within testing parameters Analysis: of results of previous stages Reporting: detailed findings and recommendations
CSCE Farkas13 Software Penetration Testing Marketing, managerial, industry production line, etc. Needs tools Test more than once Need knowledge of risk analysis Feedback to real life progress.
CSCE Farkas14 Testing and Application Context Organizations: How to update legacy systems with security capabilities Application specific risk.
CSCE Farkas15 Is Penetration Testing Worth it? Schneier, on.html on.html Opinions: – Penetration testing is essential for network security – Penetration testing is a waste of time and money What is the goal of penetration testing? Finding too much vulnerabilities – how to fix them all? Useful penetration testing: – Find vulnerabilities you’re going to fix – Pursue managers to invest in security
CSCE Farkas16 Next Class Risk-Based Security Testing