Foundational Security Testing Methods
2 Days
This is a practical course designed to provide a foundation for security testing. You will learn the terminology, the unique issues, and the process for testing security in web and enterprise applications. As a result of attending this seminar, you should be able to understand security issues and have an increased comfort level in testing the security of web-based and enterprise applications.
This is an ideal course for test team managers and leaders who need to understand security testing and how to integrate security testing into existing software testing activities. This is also a foundational course for people seeking further training in security testing, such as the ISTQB Advanced Level Security Tester certification. (This course does not lead to certification and is not a pre-requisite for the ISTQB Advanced Level Security Tester certification)
Foundational Security Testing Methods will help you become more comfortable and confident in dealing with security testing issues. You will emerge from this two-day session knowing how to develop a security testing strategy and security test plan. You will learn the details of how attackers break into system and how to design tests to validate that security is adequate to prevent such attacks. You will also have an understanding of how hackers and attackers think.
The information that your company obtains and stores is perhaps its most valuable corporate asset. Learn how to protect it and make sure protection measures are working in this course.
Return on Investment
- Protect your most valuable corporate asset - your data
- Understand how the attackers think
- Become familiar with information security threats and risks so that you can define effective security tests
- Understand which risks are associated with security issues and how they can affect your test planning and execution.
- Learn which tools can be used in security testing
- Advance your career by broadening your testing expertise.
Who Will Benefit
- QA Managers
- Test managers
- Test analysts
- Testers
- End users
- Web developers
- General managers who are responsible for making IT security decisions in their organizations
- IT auditors and internal auditors
The program requires basic IT and testing knowledge or experience
Program Information
This course is presented on an in-house basis only unless offered as a live virtual course
To register for the live virtual course: https://www.mysoftwaretesting.com/Foundational_Security_Test_Methods_p/fstmvirt.htm
Topics
Module SECA - Introduction to Computer Security (45 Mins.)
This is an introduction to basic concepts of information security in a variety of environments, including web-based and internal corporate systems. Security will be examined in the light of risks, benefits and threats.
- What is Security Testing?
- Is Security Testing Possible?
- The Risks
- Costs
- National Security
- Business Survival
- The Benefits
- Customer Confidence
- National Security
- The Threats
- External
- Internal
- COTS-based applications
- Who is at Risk?
- Individuals
- Companies
- Government Agencies
- Schools
- The Impact of New Technologies
- Cloud
- Mobile
- Who Should be Responsible for Security Testing?
Module SECB - Understanding the Attackers (1 Hr.)
By understanding how computer crooks think, security professionals and testers can leverage that information to effectively audit and test systems.
- Who are the Attackers?
- Motivations of Attackers
- What Tools do Attackers Use?
- Where do Attackers Meet?
- How do they Work?
- The Five Phases of a Security Attack
- Phase 1 – Reconnaissance
- Phase 2 – Scanning
- Phase 3 – Gaining Access
- Phase 4 – Maintaining Access
- Phase 5 – Covering Tracks and Hiding
- The Five Phases of a Security Attack
Module SECD - Security Protocols and Techniques (1 Hr.)
There are a variety of security protocols and techniques that are commonly in use. This module examines those techniques and how they work.
- Aunthentication and Authorization Methods
- Transaction Security Essentials
- Encryption Basics
- PKI
- Public Keys
- Private Keys
- How Public Key Encryption Works
- Core PKI Services
- Data Encryption System (DES) File Encryption
- VPNs
- Digital Certificates
- Certification Authorities
- Digital Signatures
- Data Obfuscation
- Firewalls
- Anti-virus software
- Intrusion detection
- SSL
- Cookies
- Summary
Module SECE - Internet Privacy and Information Privacy (45 mins.)
There is considerable debate as to whether there is such a thing as privacy in the digital age. Even with an assumed level of lack of privacy, there are still significant privacy concerns that individuals and organizations need to be aware of. Lack of attention to privacy concerns can hurt a company's online business or can cause an individual personal losses.
- Is There Such a Thing as "Internet Privacy?"
- Privacy Threats
- Unprotected data
- Cookies
- Unauthorized sale of data
- Social engineering
- Improper disposal of private data
- Privacy Remedies
- Information Privacy Concerns - How Crooks Steal and Exploit Sensitive Corporate Information
- Corporate Espionage
- Protecting Private Information in Internal Systems
- Desktops
- Servers
- Mainframes
- Off-site Storage
- Verifying and Validating the Protection of Sensitive Information
- Web-based
- Cloud
- Mobile
- Internal data
- Physical items
Module SECF - A Process for Security Testing (1 Hr.)
This module presents a process for planning, conducting and evaluating security testing.
- Determine Test Strategy and Tools
- Perform Security Assessment
- Develop Security Policy
- Identify Security Risks: Functional & Structural
- Script Functions To Be Security Tested
- Design Automated Security Tests
- Perform Test And Report Results
Module SECG - How to Develop a Security Testing Strategy (1 Hr.)
Like other forms of testing, the test strategy is an effective way to define the test objectives, the scope of testing, and the attributes that make testing a particular system or web site unique.
- How Testing Fits into an Enterprise Security Process
- Questions for Determining a Security Test Strategy
- What are the Security Risks?
- Which Tools are Available for Testing?
- Which Tools are Available for Prevention?
- The Tradeoffs Between Manual and Automated Testing
- Which Kinds of Verification Can be Performed?
- Who Will Perform Security Testing?
- What Kind of Test Environment Will Be Required?
- What Will be the Scope of Security Testing?
- How Will Security Tests Be Evaluated?
- What Constraints Exist for Security Testing?
- When Will Security Testing be Performed?
- Exercise - Case Study
Module SECI - Writing a Security Test Plan (1 Hr.)
This module describes how to customize your own security test plan standard and how to use that standard in developing security test plans.
- Defining a Security Test Plan Standard
- Defining the Scope of Test Planning
- Defining Who Will Perform Testing
- Assemble Test Planning Information as Defined in the Standard
- Reviewing the Plan
- Approving the Plan
- A Sample Security Test Plan
- A Security Test Plan Checklist
- Exercise and Discussion - Reviewing the Sample Security Test Plan
Module SECJ - Understanding Security Attacks and Developing Security Test Cases (3 Hrs.)
It's difficult to test anything until you understand it. This module is an extensive coverage of some of the most popular and destructive network-based attacks, how they are performed, how they can be prevented and how you can test to assure that the prevention measures have been adequately applied. Topics include:
- External Intrusion
- Network attacks
- Routers
- Firewalls
- Network Mapping
- Network Scanning
- Fragmentation
- Weak Passwords
- Social Engineering
- Network attacks
- Application-based attacks
- Web-based applications
- Boundary overflows
- Backdoors
- Trojan Horses
- RootKits
- Developer Defenses
- Language-based Vulnerabilities
- Denial-of-Service Attacks
- Virus Attacks
- Password Hacks
- Cookies
- Session Tracking
- SQL Piggybacking
- SQL Injection
- URL Redirection (Cross-site Scripting)
- Exercise - Developing Security Test Cases
Module SECK - Performing Security Tests (1 Hr.)
Performing security testing can be a difficult and risky effort. This module discusses things to consider in establishing the test environment, communicating the performance of the test, how to view the test results and how to stay out of trouble in performing the test.
- Establishing the Test Environment
- Penetration Testing
- Validating Existing Security Controls
- Obtaining Authorization for Security Testing
- Language-based Tests
- Testing COTS-based Applications
- Regression Testing
- Reviewing Logs and Alerts
- Exercise - Performing Security Tests
Module SECL - Reporting the Results of Security Testing (1 Hr.)
This module presents a standard for security test reporting and a sample security test report.
- Reporting Security Vulnerabilities
- Developing a Security Test Report Standard
- A Sample Security Test Report
- Exercise - Writing a Security Test Report
Module SECM - Security Testing Tools (45 mins.)
There are a variety of tools that can be used to detect network vulnerabilities, excessive load levels and other attacker exploits.
- Code Scanners
- Packet Building
- Load and Stress Testing
- Network Packet Sniffers
- Password Audit Tools
- Virus Scanners
- Information Querying
- Intrusion Detection
- Network Monitoring
Module SECL - How to Write a Security Response and Recovery Plan (30 min.)
You've done all you can to prevent an attack, but how will your organization respond to a new type of attack? How will you know the security response plan works? This module presents a standard for a security response and recovery plan. A sample security response and recovery plan will be reviewed and it's applicability determined in light of a case study.
- The Role of Testing in Developing a Security Response and Recovery Plan Standard
- A Sample Security Response and Recovery Plan
- Exercise - Review the Sample Security Response and Recovery Plan
- Exercise - Case study
Module SECN - Developing an Action Plan for Security (30 mins)
In this module, you will develop an action plan for yourself and your organization to address security testing.
- Identifying Your Greatest Needs
- Developing an Action Plan