Security Testing
It is a testing process performed for detecting flaws in security mechanisms and finding the vulnerabilities of software applications in order to protect the system from external attacks and threats.
We focus on security testing to:
- Identify viruses if any
- Search for open ports or weak points of the system
- Identify weaknesses in password files and passwords
- Detect intrusions such as denial of service (DoS) attacks
- Simulate various types of external attacks
From day one we knew we made the right decision for choosing Promatics among other proposals we received. The entire Promatics team is a collection of creative, polite and professional people who know what they are doing. If you are looking to get your project done better than you can even imagine than do not look for other provider Promatics is the best company you will find. Now that...
Read more
Security testing
Nowadays businesses need to focus on security as it is one of the important aspects of any system. Current business environments are full of potential risks; hence there is a growing need to address security issues to avoid any undesirable event compromising the security of the system. For any organization its data and IPs are of utmost importance and hence organizations should enforce security measures towards the protection of its data and IP. Businesses are increasingly facing numerous security threats within their networks. Identity thefts have made enterprises bear huge costs in recent times. There is an urgent need to set rules and policies for Internet usage within the organisations which are significant areas where businesses can prevent attacks and save huge costs. Every organisation should invest in security testing combined with a good anti-virus solution which gives them full protection from external and internal data theft or attacks by malware etc.
There are multiple security testing methods that address the rising security risks and associated issues and threats.
Types of Security Testing:
- Threat Modelling
- Penetration Testing
- Source Code Review
- Server Security Review
Types of Security Testing
Penetration Testing:
It is a method of attacking a computer system with the intention of finding security weaknesses, gaining access to data and the possible functionalities of the system. It helps to determine whether a system is vulnerable to attacks. It also helps to test the ability of network defenders to detect and respond to the attacks successfully.
Source Code Review:
This method can often detect and eliminate common vulnerabilities such as format string exploits, race conditions, memory leaks and buffer overflows, thereby improving the overall software security of the system. Two types of reviews can be used.
- Formal code review: A careful and detailed process with multiple coders and multiple phases. This method is very thorough and effective at finding defects in the code under review.
- Lightweight code review: It requires less overhead than formal code inspections and are effective. These reviews are often done as part of the development process itself.
- Server Security Review: This method ensures the maximum safety and security of servers. There are certain steps that are important and must be taken care of:
- a. Create separate accounts: Each person who requires access to the server should be assigned their own separate user account. Each individual should be assigned a unique user name and password
- b. Manage Passwords: Setting strong passwords is the most important method used to secure the server, so it is important to assign and manage the passwords with care.
- c. Deploy A Firewall: This is one of the basic precautions to secure the server.
- d. Minimize running apps and processes: This practice reduce the risk of attacks on the server.
- e. Server security settings: The settings must be set well, using the default settings isn’t always recommended. Change the settings according to your server requirements
- f. SSL: Trusted, Encrypted Transfers: Standard FTP and HTTP are generally considered insecure because commands and data are transferred in clear text between the client and server. So it is necessary to ensure encrypted transfers for security of data over the network.
Threat Modeling:
It is a structured method used to understand and mitigate threats against the system iteratively. This method comprises of four important steps:
- Decompose the application - Understand how the application works and how it interacts with external entities
- Determine and rank threats – Use Application Security Frame (ASF) for threat categorization to help identify threats.
- Determine countermeasures and mitigation – Use threat-countermeasure mapping lists. Assign risk ranking to the threats and prioritize the mitigation effort by responding to such threats by applying the identified countermeasures.
Penetration test Standards
We abide by the Penetration test Standards to create maximum value for the client and to provide continuous and measurable Quality services. We use a combination of the Penetration Test Execution Standards (PTES) and the Open Source Security Testing Methodology Manual (OSSTMM) because there is no single standard that completely solves the security issues.The OSSTMM caters to operational security We use the OSSTMM to cover the what and when aspects, and to focus more in standardizing the reporting side of the pen test, while the PTES for a more technical approach that goes deeper with the how aspect of testing.
After all security problems are discovered they are reported to the system owner together with the impact analysis report. The analysis also proposes probable mitigations to identified problems.We have adopted the penetration testing technique because it is cost effective, fast and needs a relatively lower skill-set compared to source code reviews. Also it tests the code that is being exposed. Our penetration testing technique typically involves manual test planning, preparation, and execution to be able to flexibly react to the system under test.
How we do it?
We perform penetration testing for securing systems. The Testing can be categorized into three types:
- Black box: We test the network, the OS or a running application remotely to find associated security vulnerabilities, without knowing the actual workings or functions of the application, which is also known as the Black box approach.
- White box: We test a situation in which attackers have full knowledge of the system to be attacked. The goal of a white-box penetration test is to simulate the presence of a malicious inside attacker.
- Grey box: We also use a combination of black-box and white-box testing methods called grey box testing. A gray-box tester knows the internal structure of the system under attack but partially.
The testers from our team behave or take on the role of attackers and attempt to find and exploit vulnerabilities within the system. In many cases the testers are given a valid account on the system.
As web applications are generally customised to unique business requirements, penetration testing in the web application space is more similar to research. There are tools available in the market to automate the process but with the bespoke nature of web applications their effectiveness is poor. However, focused penetration testing is useful in detecting if some specific vulnerability is actually fixed in the source code deployed on the web site.
Security testing tools:
We use tools to test security of the system by hacking it. The attacks may focus on any of the component such as the network, the support software, the application code or the underlying database.
We use testing tools such as Nessus for vulnerability scanning and the Metasploit framework which is one of the most widely adopted tool to exploit system vulnerabilities.
Like What You See? Let’s Work Together.
Request a Quote