gentle introduction to security testing for testers...• prep for vulnerability assessment •...
TRANSCRIPT
![Page 1: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/1.jpg)
Walter Kruse
Gentle Introduction to Security Testing for
Testers
2016-09-16
![Page 2: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/2.jpg)
Introduction
• Currently test automation at SARS
• 16 Years in software testing
• Made a career of technical testing
• Past author for trade publication, speaker, trainer
![Page 3: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/3.jpg)
Agenda
• Positioning security testing
• Infosec in South Africa
• Threats
• Significance of threats
• Security testing overview
• Demos
• Resources
![Page 4: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/4.jpg)
Agenda
• Positioning security testing
• Infosec in South Africa
• Threats
• Significance of threats
• Security testing overview
• Demos
• Resources
![Page 5: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/5.jpg)
Positioning Security Testing
• Functional testing
• Non-functional testing Performance testing
Security testing
Usability testing
• Security testing has manual and automated components
• Even manual security testing uses tools
![Page 6: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/6.jpg)
Agenda
• Positioning security testing
• Infosec in South Africa
• Threats
• Significance of threats
• Security testing overview
• Demos
• Resources
![Page 7: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/7.jpg)
![Page 8: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/8.jpg)
![Page 9: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/9.jpg)
![Page 10: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/10.jpg)
Agenda
• Positioning security testing
• Infosec in South Africa
• Threats
• Significance of threats
• Security testing overview
• Demos
• Resources
![Page 11: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/11.jpg)
Threats • Identity theft and fraud
Social engineering: Phishing, SpearPhishing, Whaling, Pharming, Shmising, Vishing
• Insecure infrastructure
Every node that is accessible from the internet
• Insecure applications
OWASP Top 10
SANS Top 20
![Page 12: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/12.jpg)
Agenda
• Positioning security testing
• Infosec in South Africa
• Threats
• Significance of threats
• Security testing overview
• Demos
• Resources
![Page 13: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/13.jpg)
Significance of threats
• Law: POPI Act Lawful processing of personal information
If any information is compromised, the liability remains with the organization
• Compliance: King III (code of corporate governance) Key principle: The requirement for effective auditing
• Standard: ISO/IEC 27002 Section 12 discusses software development
• Standard: Payment Card Industry Data Security Standard (PCI-DSS)
![Page 14: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/14.jpg)
What do we do about it ?
![Page 15: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/15.jpg)
Agenda
• Positioning security testing
• Infosec in South Africa
• Threats
• Significance of threats
• Security testing overview
• Demos
• Resources
![Page 16: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/16.jpg)
• CIA Triad • Confidentiality
• Integrity
• Availability
• Security is: • Protection
• Detection
• Response
Security Testing Overview
![Page 17: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/17.jpg)
Security Testing Overview
![Page 18: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/18.jpg)
• Audit • Formal
• Vulnerability Assessment • Prep for audit
• Penetration testing • On-going in some orgs.
• Questionable value:
• Big report
• Test if a hole is closed
• Prep for vulnerability assessment
• Security testing in the SDLC • Should be standardised
• Enterprise tools
Security Testing Overview
![Page 19: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/19.jpg)
![Page 20: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/20.jpg)
Agenda
• Positioning security testing
• Infosec in South Africa
• Threats
• Significance of threats
• Security testing overview
• Demos
• Resources
![Page 21: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/21.jpg)
Network Scanning Demo
![Page 22: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/22.jpg)
Network Scanning Demo
• NMap: Fundamental port scanning
• OpenVAS: Open source network audit scanner
• Conceptual walkthrough of vulnerability finding
• Attacker’s perspective
• Defender’s perspective
![Page 23: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/23.jpg)
Network Scanning Demo
• NMap: Fundamental port scanning
• OpenVAS: Open source network audit scanner
• Conceptual walkthrough of vulnerability finding
• Attacker’s perspective
• Defender’s perspective
![Page 24: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/24.jpg)
![Page 25: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/25.jpg)
![Page 26: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/26.jpg)
![Page 27: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/27.jpg)
Network Scanning Demo
• NMap: Fundamental port scanning
• OpenVAS: Open source network audit scanner
• Conceptual walkthrough of vulnerability finding
• Attacker’s perspective
• Defender’s perspective
![Page 28: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/28.jpg)
![Page 29: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/29.jpg)
Network Scanning Demo
• NMap: Fundamental port scanning
• OpenVAS: Open source network audit scanner
• Conceptual walkthrough of vulnerability finding
• Attacker’s perspective
• Defender’s perspective
![Page 30: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/30.jpg)
1: An old version of apache
![Page 31: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/31.jpg)
2: Attacker finds open ports
![Page 32: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/32.jpg)
3: Attacker scans port 80
![Page 33: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/33.jpg)
4: Attacker finds vulns on CVE
![Page 34: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/34.jpg)
5: Attacker looks for an exploit
![Page 35: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/35.jpg)
6: Defender scans server
![Page 36: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/36.jpg)
7: Defender looks up details
![Page 37: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/37.jpg)
8: Defender finds remediation
![Page 38: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/38.jpg)
![Page 39: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/39.jpg)
Black Box Scanning Demos
![Page 40: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/40.jpg)
• SANS Top 20, OWASP Top 10 • Cross-site Request Forgery (XSRF)
• URL, Parameter tampering
• Path, Header manipulation
• Cross-site Scripting (XSS)
• HTTP Response Splitting
• Command Injection
• Cookie poisoning
• Session hijacking
• Open redirects
• SQL Injection
Recap: Application Security
![Page 41: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/41.jpg)
• SANS Top 20, OWASP Top 10 • Cross-site Request Forgery (XSRF)
• URL, Parameter tampering
• Path, Header manipulation
• Cross-site Scripting (XSS)
• HTTP Response Splitting
• Command Injection
• Cookie poisoning
• Session hijacking
• Open redirects
• SQL Injection
Recap: Application Security
![Page 42: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/42.jpg)
Recap: Application Security
![Page 43: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/43.jpg)
• SQL Injection:
– Maliciously reconstruct parameterised SQL in order to make the system do what it was not intended to
Recap: Application Security
![Page 44: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/44.jpg)
Black Box Scanning Demos
• My own SQL injection testing tool circ. 2006
• w3af – open source web application vulnerability scanner
![Page 45: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/45.jpg)
Black Box Scanning Demos
• My own SQL injection testing tool circ. 2006
• w3af – open source web application vulnerability scanner
![Page 46: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/46.jpg)
![Page 47: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/47.jpg)
![Page 48: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/48.jpg)
Black Box Scanning Demos
• My own SQL injection testing tool circ. 2006
• w3af – open source web application vulnerability scanner
![Page 49: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/49.jpg)
![Page 50: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/50.jpg)
![Page 51: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/51.jpg)
White Box Scanning Demo
![Page 52: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/52.jpg)
White Box Scanning Demo
• Eclipse plugins:
• Lapse+
• FindBugs
• Google AnalytiX
![Page 53: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/53.jpg)
White Box Scanning Demo
• Eclipse plugins:
• Lapse+
• FindBugs
• Google AnalytiX
![Page 54: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/54.jpg)
Lapse+
• Tests for known causes of: Parameter Tampering, URL Tampering, Header Manipulation, Cookie Poisoning, SQL Injection, Cross-site Scripting (XSS), HTTP Response Splitting, Command Injection, Path Traversal, XPath Injection, XML Injection, LDAP Injection.
• Vulnerability Source: Points of code that can be source of an attack of untrusted data injection.
• Vulnerability Sink: Points that can propagate the attack and manipulate the behaviour of the application.
• Provenance Tracker: Possibility to reach a source from a sink through backward propagation, if this occurs, we have a security vulnerability.
![Page 55: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/55.jpg)
![Page 56: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/56.jpg)
White Box Scanning Demo
• Eclipse plugins:
• Lapse+
• FindBugs
• Google AnalytiX
![Page 57: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/57.jpg)
![Page 58: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/58.jpg)
White Box Scanning Demo
• Eclipse plugins:
• Lapse+
• FindBugs
• Google AnalytiX
![Page 59: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/59.jpg)
![Page 60: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/60.jpg)
What can we really do about it ?
• You, as a tester can probably do very little about it • Must have a mandate
• Must have permission
• Socialise the fact that you want to do security testing
• Myriad of tools, most are targeted at Linux ¯\_(ツ)_/¯
• Don’t “run a scanner” and send a report and expect to be entertained if you can not interpret the results and possibly advise remedies for the findings
• Like performance testing, it is very technical and complex
• Lends itself well to in-scrum testing
![Page 61: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/61.jpg)
Agenda
• Positioning security testing
• Infosec in South Africa
• Threats
• Significance of threats
• Security testing overview
• Demos
• Resources
![Page 62: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/62.jpg)
Resources
• The Wolfpack report: www.wolfpackrisk.com/research/south-african-cyber-threat-barometer/
• Acunetix Web Application Vulnerability Report • www.acunetix.com/acunetix-web-application-vulnerability-report-2016/
• ISECOM: www.isecom.org OSSTMM, HHS
• OWASP: www.owasp.org Top 10 list of web application vulnerabilities
Software Assurance Maturity Model
Tools, deliberately vulnerable apps, methodologies, community etc.
![Page 63: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/63.jpg)
Resources Cont.
• National Institute for Standards and Technology: • http://csrc.nist.gov
• Web Application Security Consortium: • www.webappsec.org/
• SANS Institute: • www.sans.org
• Mitre Common Weaknesses Enumeration: • http://cwe.mitre.org
• sectooladdict.blogspot.com
![Page 64: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/64.jpg)
sectooladdict.blogspot.com
![Page 65: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/65.jpg)
![Page 66: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/66.jpg)
ISECOM
![Page 67: Gentle Introduction to Security Testing for Testers...• Prep for vulnerability assessment • Security testing in the SDLC • Should be standardised • Enterprise tools Security](https://reader035.vdocuments.site/reader035/viewer/2022062602/5edd8067ad6a402d66689e23/html5/thumbnails/67.jpg)
Conclusion
• Positioning Security Testing
• Infosec in South Africa
• Threats
• Significance of Threats
• Security Testing overview
• Demos
• Resources
Images attribution
•ITWeb.co.za
•timeslive.co.za
•ISECOM.org
•SANS.org
•OWASP.org
•w3schools.com
•xkcd.com