It seems like there are a lot of different kinds of security testing techniques. Can you explain some of the common ones?
Security testing is truly a cross-disciplinary function, requiring a tester’s mindset, along with process, engineering and networking skills. Some key techniques and required skills include:
- Threat modeling: this is the process of breaking an application into its components, and then analyzing the security risks as data crosses trusted boundaries. Threat modeling is in and of itself a new skill; very few project managers, engineers or security analysts have this skill. There are a number of great articles available on the Web, as well as a few books which will help you gain experience in conducting a successful threat model.
- Network penetration testing: network pen testing is the process of reviewing networking configurations to ensure the maximum protection of an application and its environment. Understanding how network traffic is passed between client and server, how networks are designed and segmented, and how traffic can and should be analyzed before delivery are key network engineering skills a successful network penetration test requires.
- Application penetration testing: in times past, the way to hack an application was to slip in an open port in a misconfigured network. Now most companies have locked their networks down, so attacks have become more complex. Applications themselves are the target of attacks and a good penetration tester must understand how to carry out the advanced cross-site scripting, SQL injection and related attacks. OWASPs Top Ten site is a great resource for learning how to conduct this form of security testing.
- Application configuration testing: secure cookies, HTTPOnly, file handlers… these are all elements of the application environment which need to be understood and validated for an application to be fully secure. Often these configuration settings are implemented independent of how the application was coded. Becoming familiar with hardening the most popular web servers (Tomcat, IIS) is a crucial skill for the penetration tester.
- Code review and secure engineering: finally, a good security tester should understand how to conduct code reviews and evaluate code implementation. This is a skill which is developed over a long time, although there are a number of great Web-based resources to kick-start the process.
By bringing all of these aspects of security together, a penetration tester begins to stand out amongst her peers. More importantly, these practices provide the holistic security which is required in today’s dangerous Web environment.
This was first published in March 2011