Security testing

Various ways, but think of it largely as performed by pointing tools at the System Under Test. The tools will have a wide range of selectable attack surfaces known to scan for which you can select.

Attack surfaces could include for example:

• which ports are open to the computer (8080, 443, 1521 etc.)
• how visible the computer is (is ICMP/PING availalble, firewall access & which domain trusts can see it)
• what permission sets are setup - which accounts can access it? parts of it? are these in line with best practices (i.e. OS administrator account with no password)
• what folders are shared, what has read access, what has write access
• is the OS and installed software patched upto date, are there known vulnerabilities with the these software as listed on popular, common security databases of attacks in the wild
• for a given database, what level of server, database, table and security account permissions are setup. Are these in line with best practices (i.e. leaving the SQL Server ‘sa’ account enabled)
• for a website login page, the tools will attempt various attacks like entering malformed SQL in the username & password fields to check for SQLi attacks, malformed javascript to check for XSS attacks and more

The hard part isn’t so much using these tools which do most of the stuff for you, it’s investigating the results & writing an end vulnerability findings report. For that you need really expert security testing members who are highly trained & experienced. It’s really not an easy role & like general network security, these members need to be constantly informed, constantly learning of new threats.

There are another set of tools for the code which can be used by developers and/or security testers. If you search the web for “security scan code” or “static code analysis”, you’ll be able to find a few of these which are often run in the IDE

As Alex mentioned, there are many tools for security testing. If we would be speaking about secure development, what usually comes to mind are two terms - SAST, andDAST. Each one of them is used in different cases and has it’s ups and downs. In the best case scenario, we would love to use both of them since that would give us the most accurate view of the current threat landscape.

• SAST (Static Application Security Testing) is probably the most frequently used one. It scans the code to find security vulnerabilities earlier in the software development life cycle. Most of the companies are using it, some of the platforms even have the free version of a SAST tool already integrated. They are a lot of fancy plugins that can also be used to add the tool right into your IDE so you can for example scan the code after each save or commit.
• DAST (Dynamic Application Security Testing) is quite useful when you are looking for vulnerabilities and weaknesses in a running application (typically a web application). It does so by employing fault injection techniques (feeding malicious data) to uncover stuff such as SQL injections and cross-site scriptings. Compared to it’s static counterpart it can also uncover some of the authentication and configurations issues (for example some of the flaws might only be visible once user logs in).

SAST is the example of white-box testing as you have to have the access to the source code. DAST on the other hand represents the black-box testing as it is trying to test the running application.

There are some free and paid versions with each tool having it’s ups and downs. I won’t be naming the exact tools but if you look for the “TOP10” you should be able to find them easily.

There are also IAST, RASP and much more, but we can stick to these two for the majority of businesses. :)