Domain 6: Security Assessment & Testing (Weightage 12.%)
Security assessment and testing are essential components of any information security program. Security assessments include vulnerability scanning, penetration testing, and testing software using static and dynamic methods.
A white hat hacker is authorized to try to penetrate an organization’s electronic or physical perimeter. Penetration tests include tests of network internet, internal or DMZ wireless, war dialing and physical access. A zero-knowledge or black-box test is also known as blind. The penetration tester starts with no external or trusted information, and then begins the attack using only public information. Full-knowledge tests (also known as crystal-box tests) provide internal information to the penetration test, including network diagrams and policies, procedures, and sometimes reports from other penetration testers. Partial-knowledge tests range from zero to full knowledge. The penetration tester only receives limited trusted information. Any sensitive data accessed during the penetration test must be kept confidential by the penetration testers. Penetration testers should ensure that the client’s systems are secure and that their data integrity is maintained.
Next, it covers vulnerability testing or scanning. This is to scan a system or network for predefined vulnerabilities like system misconfigurations, outdated software or a lack thereof. A security audit is a test against an established standard. Audits can be conducted to ensure compliance with the Payment Card Industry Data Security Standard. Security assessments are a holistic way to assess the effectiveness of access control. Security audit logs within an IT system are a great way to check that access control mechanisms are working properly. It also serves as detective control.
Next, it will discuss Software Testing methods. This is basically testing the features, stability, and functionality of the software. Testing increasingly focuses on identifying specific programming errors that can lead to system compromises, such as a lack of bounds-checking. Static testing is passive testing of the code. The code is not running. This includes code reviews, syntax checking, walkthroughs, and syntax checking. Dynamic testing is a way to test the code as it is being executed. Dynamic testing allows security checks to be performed while the code or application is being executed. A traceability matrix, also known as a requirements traceability matrix (RTM), is used to map customer requirements to the software testing plan. It traces the requirements and ensures they are being met.
Fuzz testing is a form of black-box testing in which random, malformed data is submitted to software programs to determine whether they will crash. Misuse case testing is a way to test the functionality of applications. Combinatorial software testing, a black-box method of testing software inputs, is a way to identify and test every possible combination. Code coverage analysis or test is a method of determining the extent to which code testing applies across the entire application. Interface testing focuses on ensuring that the functionality is available across all ways users can interact with it.