# Security Assessment and Testing

* **Security Testing**
  * Verify that controls are working properly
    * Includes
      * Automated scans
      * Tool-assisted penetration tests
      * Manual attempts to undermine security
    * Factors to consider
      * Availability of security testing resources
      * Criticality of systems and applications protected by the security controls
      * Sensitivity of information
      * Likelihood of technical failure
      * Likelihood of misconfiguration
      * Risk of coming under attack
      * Rate of change of the control configuration
      * Difficulty and time required to perform a control test
      * Impact of the test on normal business operations
* **Security Assessments**
  * Comprehensive reviews of the security of a system, application or other environments
  * Performs a risk assessment that identifies vulnerabilities in the environment that may allow a compromise and makes recommendations for remediation
  * Reviews of the threat environment, current and future risks and the value of the targeted environment
  * Produces an assessment report addressed
  * Conducted by an internal team or can be outsourced to a third party assessment team
  * [NIST SP 800-53A](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf)
* **Security Audits**
  * Have to performed by independent auditors
  * Meant for internal use only and are designed to evaluate controls and find improvements
  * Meant to show how effective are controls to a third party
  * **Three main types**
    * Internal
    * External
    * Third-party
* **Internal Audits**
  * Performed by an organization's internal audit staff and meant for internal audiences
* **External Audits**
  * Performed by an outside auditing form
  * *Auditing firms*
    * Ernst & Young
    * Deloitte & Touche
    * PricewaterhouseCoopers
    * KPMG
* **Third-Party Audits**
  * Conducted by, or on behalf of another organization
* **Auditing Standards**
  * Standards provide the description of control objectives that should be met
  * **Examples**
    * **COBIT** - describes the common requirements that organizations should have in place surrounding their information systems
    * **ISO 27001** - standard approach for setting up an information security management system
    * **ISO 27002** - goes into specifics of information security controls

### Performing Vulnerability Assessments

* **Describing Vulnerabilities**
  * NIST provides **Security Content Automation Protocol (SCAP)**
  * *CVE* - provides a naming system for describing security vulnerabilities
  * *CVSS* - provides a standardized scoring system for describing the severity of security vulnerabilities
  * *CCE* - provides a naming system for system configuration issues
  * *CPE* - provides a naming system for operating systems, applications and devices
  * *XCCDF* - provides a language for specifying security checklists
  * *OVAL* - provides a language for describing security testing procedures
* **Vulnerability Management Workflow**
  * **Steps**
    * **Detection** - initial identification of a vulnerability
    * **Validation** - admins confirm the vulnerability to determine that it is not a false positive report
    * **Remediation** - validated vulnerabilities then should be remediated

### Software Testing

* **Code Review**
  * The foundation of software assessment programs
  * **Steps**
    1. Planning
    2. Overview
    3. Preparation
    4. Inspection
    5. Rework
    6. Follow-up
* **Static Testing**
  * Evaluates the security of software without running it by analyzing either the source code or the compiled application
* **Dynamic Testing**
  * Evaluates the security of software in a runtime environment
  * Often the only option for organizations deploying applications written by someone else
* **Fuzz Testing**
  * Specialized dynamic testing technique that provides many different types of input to software to stress its limits and find new flaws
  * **Types**
    * **Mutation** - takes previous input values from actual operation of the software and manipulates it to create fuzzed input
    * **Generational** - Develops data models and creates new fuzzed input based on an understanding of the types of data used by the program.

### Interface Testing

* An important part of the development of complex software systems
* Tests the performance of modules against the interface specifications to make sure they will work properly
* **Types**
  * **APIs** - A standardized way for code modules to interact and may be exposed to the outside world through web services
  * **User Interfaces (UIs)** - Should include reviews of all user interfaces to verify that they function properly
  * **Physical Interfaces**

### Key Performance and Risk Indicators

* Number of open vulnerabilities
* Time to resolve vulnerabilities
* Vulnerability / defect recurrence
* Number of compromised accounts
* Number of software flaws detected in preproduction scanning
* Repeat audit findings
* User attempts to visit known malicious sites

### Related Notes

* Vulnerability Scanning