Security Control Testing and the CISSP

July 6, 2017 by Infosec

In this article, we will learn about different security control testing methods that if planned and used properly can really boost the security surface of controls and can really help in risk mitigation.

Below are some of the popular security control testing mechanisms

Log Reviews

Log contain information related to specific events generated from many sources like operating systems, antivirus, IDS/IPS, firewalls etc. Different organizations can have different set of data sources and their volume will differ accordingly. Thus, log analysis is an important testing mechanism to make sure that all the controls are working as they should be. Logs are also very useful in forensics and investigation. Below is a standard log management operational processes

  • Monitoring logging status of all log sources such as OS, IDS/IPS etc.
  • Feeding logs to a SIEM solution and develop correlation rules across them.
  • Documentation of log sources, settings, configurations etc.
  • Monitoring log rotation and archival processes
  • Upgrading the log management solution

Below are some of the information more often retrieved from log sources:

  • Successful and failed account login and logout activities
  • New process creation, privilege escalation activities
  • Application shutdown, startup, configuration etc. logs.
  • Client and server interaction logs which can be very useful to reconstruct complete sequence of events.
  • Number of transaction within a certain period.
  • Any attempt to modify log files itself.

Since logs can contain sensitive information, proper access controls should be built around them for restricting access. Organizations also need to protect the availability of their logs. This will include both recent logs as well as archival logs and proper log retention policies should be built around them as per the compliance followed.

To effectively use logs as a security control mechanism, organizations must

  • Prioritize log management by defining requirements and goals for performing logging and monitoring goals to include various regulations.
  • Create and maintain a secure log management infrastructure by preserving the integrity and confidentiality for the logs. Also, log management infrastructure should be scalable enough to meet the needs for growing log sources.
  • Proper policies and procedures for log management to ensure a consistent approach throughout the organization. Periodic audits are an excellent way to confirm the logging standards and guidelines are being met.
  • Organization must also train their staff for log management by providing technical guidance, tools and to make them understand the implications of a failed log management process.

Synthetic Transactions

Before discussing synthetic transactions, let’s talk about Real User Monitoring which is used to monitor/analyze every transaction of every user of a website. There are two types of RUM techniques:

  • Bottom-Up form: Rely on capturing server side information to construct end-user experience.
  • Top-Down form: It directly observes how an end-user is interacting with the website and provides ways to optimize application performance.

Synthetic transactions on the other hand do not monitor user session. Instead these are precompiled checks to monitor the status of application. For example, selenium scripts are used to impersonate user actions to depict the status of functionality. These scripts can be re-used if the websites do not change data. These scripts measure uptime and provides confidence that if scripts are running, site is up and running. Below are some uses:

  • Website monitoring: Synthetic transaction are used to perform HTTP requests and for measuring performance.
  • Database monitoring: Synthetic transactions are used to monitor the availability of DB.
  • TCP port monitoring: Websites ports can be monitored using synthetic transactions.
  • Complement RUM by synthetically monitoring availability during different traffic patterns.
  • Analyzing performance across geographies.

Code Review & Testing

Next testing is performing code review since all the attack is carried out against some malfunction/vulnerable code. Code review/testing should be done before that code is put into production as later fixes are costlier. Attacks can be carried out against code in various ways:

  • Bad checking of user influenced data that can lead to attacks like SQL injection
  • Misconfigurations of security standards like broken ciphers.
  • Logical flaws in the code that can lead to bypass authentication.

Before we begin discussing testing techniques at various stages of application, let’s first understand some important differences between common testing techniques:

  • Dynamic testing vs Static testing: Static testing is done to analyze a system without executing it whereas dynamic testing is done on a system under execution.
  • Black box vs White box: In white box testing, source code is available to review. Whereas in black box, no internal details are provided.
  • Manual vs Automated: In automated testing, tools are used to perform testing whereas in manual testing, test scenarios are guided by a human.

During Application development stage, below testing techniques are available

  • Static source code analysis: It is used to find vulnerabilities without executing the application. It helps to detect outdated binaries, misconfigurations etc.
  • Static binary code analysis: It is used to find vulnerabilities in the compiled application without executing it.

During Execution phase, following testing techniques are available

  • Manual or Automated Pen-Test: Testing is done to impersonate an attacker actions to identify wide range of vulnerabilities in a deployed application.
  • Automated Vulnerability Scanner: Usage of Vulnerability scanner to identify well knows vulnerabilities.
  • Fuzzy testing: More than expected data is send to application to detect application crashes.

Also, code based testing is known as white box testing or structural testing. Common structural metrics include:

  • Statement coverage: Test cases are executed for each statement at least once.
  • Condition coverage: Test cases for each condition in a program to take on all possible outcomes at least once.
  • Loop coverage: test cases for as many iterations as specified in the program covering initialization, typical and boundary conditions.
  • Path coverage: Test cases for each path from start to exit of a defined program to be executed at least once.
  • Data flow coverage: Test cases for each data flow to be coverage executed at least once.

Pass your CISSP prep course and become certified with InfoSec Institute’s help. Just fill out the form below for course details/pricing.

Negative Testing

This type of testing ensures that application will handle invalid input or unexpected user input. This type of testing improves the quality of testing. In negative testing, exceptions are expected. Some of the negative testing scenarios are:

  • Testing required fields: Some applications declare some fields as mandatory and require them to be filled. Negative on them can be to test application functionality without filling them.
  • Testing Field length and type: Negative testing can also be done to check the specified length of a field and to match the respective data type.
  • Testing fields inputs escaping: Classic example is vector for sql injection which should be tested to see what all escaping on the input field is done.

Interface Testing

Interface testing is one of the most important testing type to assure quality of software’s. This type of testing helps to determine whether functions between different elements are working as they are expected to be or not. Some of the important checks in interface testing evaluates:

  • Whether all errors are handled properly
  • Compatibility of software, hardware etc.
  • Communication between different tiers like web-tier, application-tier, DB-tier are happening properly.
  • For external interface
    • Compatibility with different browsers.
    • In case of service unavailability, all the errors should be tested.
  • For internal interface
    • Testing of a browser crash.
    • In case of a broken connection, how application maintains state, integrity and transaction.
    • Errors handling during functionalities like copy/paste, download etc.
    • Testing for website functionality without plugins.

So in this article we have seen different testing types, their common scenarios etc. that must be done to ensure software quality.

Posted: July 6, 2017
Articles Author
View Profile

Leave a Reply

Your email address will not be published. Required fields are marked *