Software Security Testing Vinay Srinivasan cell: +91 9823104620.

Slides:

Advertisements

Similar presentations

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.

Advertisements

Mr C Johnston ICT Teacher

Taxonomy of Computer Security Incidents Yashodhan Fadnavis.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.

Security Issues and Challenges in Cloud Computing

System and Network Security Practices COEN 351 E-Commerce Security.

Network Security Testing Techniques Presented By:- Sachin Vador.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

Web server security Dr Jim Briggs WEBP security1.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.

11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 

LINUX Security, Firewalls & Proxies. Course Title Introduction to LINUX Security Models Objectives To understand the concept of system security To understand.

Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.

Shared success Outline What is network security? Why do we need security? Who is vulnerable? Common security attacks and countermeasures. How to secure.

CHAPTER 3 Information Privacy and Security. CHAPTER OUTLINE  Ethical Issues in Information Systems  Threats to Information Security  Protecting Information.

ISEC0511 Programming for Information System Security

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits.

Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

Copyright © 2008, CIBER Norge AS 1 Web Application Security Nina Ingvaldsen 22 nd October 2008.

1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.

A Security Review Process for Existing Software Applications

Business Computing 550 Lesson 6. 2 Security Threats on Web Sites Issues and vulnerabilities 1.Illegal Access and Use (Hacking the system or users exposing.

Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.

OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.

INTRODUCTION. The security system is used as in various fields, particularly the internet, communications data storage, identification and authentication.

# Ethical Hacking. 2 # Ethical Hacking - ? Why – Ethical Hacking ? Ethical Hacking - Process Ethical Hacking – Commandments Reporting.

Lecture 20 Hacking. Over the Internet Over LAN Locally Offline Theft Deception Modes of Hacker Attack.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.

Operating System Security Fundamentals Dr. Gabriel.

CIS 450 – Network Security Chapter 14 – Specific Exploits for UNIX.

CIS 450 – Network Security Chapter 4 - Spoofing. Definition - To fool. In networking, the term is used to describe a variety of ways in which hardware.

By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.

Module 2 – User Safety Privacy Attacks on end users Browser vulnerabilities.

Topics Network topology Virtual LAN Port scanners and utilities Packet sniffers Weak protocols Practical exercise.

Module 11: Designing Security for Network Perimeters.

Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.

IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.

Microsoft ISA Server 2000 Presented by Ricardo Diaz Ryan Fansa.

Ingredients of Security

Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.

Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.

Web Security Firewalls, Buffer overflows and proxy servers.

Mr C Johnston ICT Teacher BTEC IT Unit 09 - Lesson 11 Network Security.

E-Commerce & Bank Security By: Mark Reed COSC 480.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.

SESSION HIJACKING It is a method of taking over a secure/unsecure Web user session by secretly obtaining the session ID and masquerading as an authorized.

Common System Exploits Tom Chothia Computer Security, Lecture 17.

Network security Vlasov Illia

TMG Client Protection 6NPS – Session 7.

Chapter 7: Identifying Advanced Attacks

Chapter 6 Application Hardening

World Wide Web policy.

Secure Software Confidentiality Integrity Data Security Authentication

A Security Review Process for Existing Software Applications

Business Risks of Insecure Networks

Security of a Local Area Network

Teaching Computing to GCSE

Security in Networking

Intrusion Detection system

WJEC GCSE Computer Science

Test 3 review FTP & Cybersecurity

Module 4 System and Application Security

Presentation transcript:

Software Security Testing Vinay Srinivasan cell:

By Vinay Srinivasan (Tech Lead) Working At Testing Center of Excellence Laboratory, TechMahindra, Pune

Secure Software  Confidentiality  Disclosure of information to only intended parties  Integrity  Determine whether the information is correct or not  Data Security  Privacy  Data Protection  Controlled Access  Authentication  Access to Authorized People  Availability  Ready for Use when expected  Non Repudiation  Information Exchange with proof

Software Security  Security of Operating System  Security of Client Software  Security of Application Software  Security of System Software  Security of Database Software  Security of Software Data  Security of Client Data  Security of System Data  Security of Server Software  Security of Network Software

Why Security Testing  For Finding Loopholes  For Zeroing IN on Vulnerabilities  For identifying Design Insecurities  For identifying Implementation Insecurities  For identifying Dependency Insecurities and Failures  For Information Security  For Process Security  For Internet Technology Security  For Communication Security  For Improving the System  For confirming Security Policies  For Organization wide Software Security  For Physical Security

Approach to Software Security Testing  Study of Security Architecture  Analysis of Security Requirements  Classifying Security Testing  Developing Objectives  Threat Modeling  Test Planning  Execution  Reports

Security Testing Techniques  OS Hardening  Configure and Apply Patches  Updating the Operating System  Disable or Restrict unwanted Services and Ports  Lock Down the Ports  Manage the Log Files  Install Root Certificate  Protect from Internet Misuse and be Cyber Safe  Protect from Malware  Vulnerability Scanning  Identify Known Vulnerabilities  Scan Intrusively for Unknown Vulnerabilities

Security Testing Techniques (continued…)  Penetration Testing  Simulating Attack from a Malicious Source  Includes Network Scanning and Vulnerability Scanning  Simulates Attack from someone Unfamiliar with the System  Simulates Attack by having access to Source Code, Network, Passwords  Port Scanning and Service Mapping  Identification and locating of Open Ports  Identification of Running Services  Firewall Rule Testing  Identify Inappropriate or Conflicting Rules  Appropriate Placement of Vulnerable Systems behind Firewall  Discovering Administrative Backdoors or Tunnels  SQL Injection  Exploits Database Layer Security Vulnerability  Unexpected Execution of User Inputs

Security Testing Techniques (continued…)  Cross Side Scripting  Injecting Malicious Client Side Script into Web Pages  Persistent, Non-Persistent and DOM based Vulnerabilities  Parameter Manipulation  Cookie Manipulation  Form Field Manipulation  URL Manipulation  HTTP Header Manipulation  Denial of Service Testing  Flooding a target machine with enough traffic to make it incapable  Command Injection  Inject and execute commands specified by the attacker  Execute System level commands through a Vulnerable Application

Security Testing Techniques (continued…)  Network Scanning  Identifying Active Hosts on a network  Collecting IP addresses that can be accessed over the Internet  Collecting OS Details, System Architecture and Running Services  Collecting Network User and Group names  Collecting Routing Tables and SNMP data  Password Cracking  Collecting Passwords from the Stored or Transmitted Data  Using Brute Force and Dictionary Attacks  Identifying Weak Passwords  Ethical Hacking  Penetration Testing, Intrusion Testing and Red Teaming  File Integrity Testing  Verifying File Integrity against corruption using Checksum

Security Testing Techniques (continued…)  War Dialing  Using a Modem to dial a list of Telephone Numbers  Searching for Computers, Bulletin Board System and Fax Machines  Wireless LAN Testing  Searching for existing WLAN and logging Wireless Access Points  Buffer Overflow Testing  Overwriting of Memory fragments of the Process, Buffers of Char type  Format String Testing  Supplying Format type specifiers in the Application input  Random Data Testing  Random Data Inputs by a Program  Encoded Random Data included as Parameters  Crashing built-in code Assertions

Security Testing Techniques (continued…)  Random Mutation Testing  Bit Flipping of known Legitimate Data  Byte stream Sliding within known Legitimate Data  Session Hijacking  Exploitation of Valid Computer Session  Exploitation of the Web Session control mechanism  Gain unauthorized access to the Web Server  Phishing  Masquerading as a trustworthy entity in an electronic communication  Acquiring usernames, passwords and credit card details  URL Manipulation  Make a web server Deliver inaccessible web pages  URL Rewriting

Security Testing Techniques (continued…)  IP Spoofing  Creating Internet Protocol (IP) packets with a forged source IP address  Packet Sniffing  Capture and Analyze all of the Network traffic  Virtual Private Network Testing  Penetration Testing  Social Engineering  Psychological Manipulation of People  Divulging confidential information

Conclusion  Analyze potential Threat and its Impact  Complete Security Testing may not be Feasible  Collect Information to Secure Business Environment  Should be done as early as possible in the Dev.. Cycle  Should be able to identify the Security Requirements  Have Specific understanding of the Various Processes  Should provide Recommendations to overcome Weakness

Thank You

Contact Details     Phone :  Extn : /  Extn : /   Fax :  