CISSP Domain 6 Refresh: Security Assessment and Testing
When just one exploited vulnerability can spell disaster for an organization’s brand, security assessments and software testing are a vital pillar of any information security program. A significant part of a CISSP professional’s skill set, understanding how to design, perform, and act on the results of a security test and when they should be applied can be the lynchpin in an organization’s ability to have a secure operating environment. In this CISSP Domain 6 refresh, we will cover the two main types of security assessments – testing software and enterprise security assessments – and review the fundamental concepts and tools that may need some dusting off.
Organizational Security Assessment and Testing
Security assessments and tests provide a holistic view of an organization’s security tools and their effectiveness. These enterprise-level security assessments can be further defined into two sub-categories: access control tests and security assessments. Access control tests encompass a number of processes and methods that assess how strong an organization’s access control systems and rules work and include the following disciplines: vulnerability scanning, penetration testing, and security audits.
Access Control Tests
Penetration tests focus on one or several targets, such as internal network infrastructure, web applications, facilities, and wireless configurations with the goal of obtaining access within an organization’s physical or electronic perimeter. Operating with the authorization of an organization’s management, the penetration testers, or white hat hackers, probe for vulnerabilities using open and closed source tools and a range of virtual and social engineering-based attacks to find them before black hat hackers do. Penetration testers follow a defined methodology of planning, reconnaissance, scanning, assessing vulnerabilities, exploiting, and reporting their results all while maintaining the confidentiality of their work and the integrity of the data and systems they are evaluating.
A vulnerability scan tests a network or system against a set of known vulnerabilities, usually from unpatched software, misconfigured settings, or system defects. Testers utilize tools such as OpenVAS or Nessus to identify known vulnerabilities in systems, which allow an organization to view their level of risk and threats and prioritize them for remediation if desired.
A security audit is often the result of an organization having to comply with a standard such as Health Insurance Portability and Accountability Act (HIPAA) or the Payment Card Industry Data Security Standard (PCI-DSS), but they can also be done against other published frameworks. These audits can be completed or facilitated by outside auditors or completed as a part of a larger continuous improvement program.
Organizational Security Assessments
While vulnerability scanning, penetration testing, and security audits evaluate the security posture of a particular system or aspect of an organization, a security assessment is a holistic approach to understanding the effectiveness of the access control methods in place. By broadening the lens of the security assessment not just to include technical components, an organization’s policies, procedures, and other administrative controls come into scope for a more comprehensive security evaluation.Security professionals often play a critical role in these assessments by reviewing system logs, leading policy audits, and evaluating processes for compliance or vulnerabilities, such as adherence to change management.
Long an afterthought, security professionals are increasingly playing a key role in the software development lifecycle. In addition to testing the security and stability of custom developed applications, security professionals often take the lead in identifying programming errors that could lead to new attack vectors. While three approaches are emphasized in the CISSP materials, two are used to discover programming errors more often by security professionals – static and dynamic analysis – while manual code review (i.e., paired programming) is typically integrated into the development process. Synthetic transactions, fuzzing, misuse case testing, and including several software testing levels or iterations are also important software assessment methods.
Static and Dynamic Testing
Static code testing involves reviewing the software’s code while it isn’t running, reviewing for errors in syntax or performing walkthroughs of the programmed logic. Several static analysis tools are available to assist with identifying common errors or broken functions, libraries, or insecure practices, but dynamic testing introduces additional layers of testing by evaluating the code while is it running to reveal additional flaws that may not otherwise be identified. Both static and dynamic testing complement one another.
Synthetic transactions involve building automated or manual scripts to simulate the normal activities an application can be expected to perform. These transactions can be used to not only probe for errors or weaknesses, but they can also allow an organization to establish performance baselines to be used for comparative purposes to evaluate changes or create alerts if transactions run outside of established boundaries.
Software Testing Levels
Testing software from multiple perspectives allows an organization to understand better how well an application performs and how it will impact the larger enterprise environment. Unit testing tests software components or processes one at a time while Integration testing tests multiple pieces together as a larger working system. Installation testing evaluates how well the software facilitates the installation processes and its set-up while Regression testing tests software after new updates, modifications, or patches are applied to identify unintended consequences. Finally, User Acceptance testing ensures software meets the customer’s requirements, resulting in direct sign-off.
Fuzzing involves submitting random, error-filled data as inputs into software to make it crash. Often facilitated with tools to maximize a high level of inputs, applications that hang or crash can signal larger development errors, or security vulnerabilities are present, such as buffer overflow or boundary checking issues.
Misuse Case Testing
Similar to synthetic testing, misuse case testing involves purposefully stressing an application with the sole goal of simulating real attacks. Also known as a part of threat modeling, misuse case testing can help a development team understand what vulnerabilities are present in an application and what security impacts they may have.
Security professionals need to be well-versed in a range of security assessment and software testing methods to provide their organizations with an accurate view of their security posture. Taking the time to refresh yourself on the key components, methods, and tools of this important CISSP Domain not only sharpens your focus, but it is also a reminder of how each day security professionals can live up to the (ISC)^2 Code of Ethics of serving their stakeholders.