SlideShare a Scribd company logo

Software Security Testing

S
srivinayak

This document discusses software security testing. It outlines various aspects of secure software like confidentiality, integrity, data security, authentication, and availability. It then describes different types of software that require security testing like operating systems, applications, databases, and network software. Various techniques for security testing are explained in detail, such as vulnerability scanning, penetration testing, firewall rule testing, SQL injection testing, and ethical hacking. The document emphasizes the importance of early security testing and providing recommendations to overcome weaknesses found.

Technology
1 of 16
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Software Security Testing Vinay Srinivasan srinivasan_vinay@yahoo.com vinay.srinivasan@techmahindra.com cell: +91 9823104620
By Vinay Srinivasan (Tech Lead) Working At Testing Center of Excellence Laboratory, TechMahindra, Pune
Secure Software  Confidentiality  Disclosure of information to only intended parties  Integrity  Determine whether the information is correct or not  Data Security  Privacy  Data Protection  Controlled Access  Authentication  Access to Authorized People  Availability  Ready for Use when expected  Non Repudiation  Information Exchange with proof
Software Security  Security of Operating System  Security of Client Software  Security of Application Software  Security of System Software  Security of Database Software  Security of Software Data  Security of Client Data  Security of System Data  Security of Server Software  Security of Network Software
Why Security Testing  For Finding Loopholes  For Zeroing IN on Vulnerabilities  For identifying Design Insecurities  For identifying Implementation Insecurities  For identifying Dependency Insecurities and Failures  For Information Security  For Process Security  For Internet Technology Security  For Communication Security  For Improving the System  For confirming Security Policies  For Organization wide Software Security  For Physical Security
Approach to Software Security Testing  Study of Security Architecture  Analysis of Security Requirements  Classifying Security Testing  Developing Objectives  Threat Modeling  Test Planning  Execution  Reports
Security Testing Techniques  OS Hardening  Configure and Apply Patches  Updating the Operating System  Disable or Restrict unwanted Services and Ports  Lock Down the Ports  Manage the Log Files  Install Root Certificate  Protect from Internet Misuse and be Cyber Safe  Protect from Malware  Vulnerability Scanning  Identify Known Vulnerabilities  Scan Intrusively for Unknown Vulnerabilities
Security Testing Techniques (continued…)  Penetration Testing  Simulating Attack from a Malicious Source  Includes Network Scanning and Vulnerability Scanning  Simulates Attack from someone Unfamiliar with the System  Simulates Attack by having access to Source Code, Network, Passwords  Port Scanning and Service Mapping  Identification and locating of Open Ports  Identification of Running Services  Firewall Rule Testing  Identify Inappropriate or Conflicting Rules  Appropriate Placement of Vulnerable Systems behind Firewall  Discovering Administrative Backdoors or Tunnels  SQL Injection  Exploits Database Layer Security Vulnerability  Unexpected Execution of User Inputs
Security Testing Techniques (continued…)  Cross Side Scripting  Injecting Malicious Client Side Script into Web Pages  Persistent, Non-Persistent and DOM based Vulnerabilities  Parameter Manipulation  Cookie Manipulation  Form Field Manipulation  URL Manipulation  HTTP Header Manipulation  Denial of Service Testing  Flooding a target machine with enough traffic to make it incapable  Command Injection  Inject and execute commands specified by the attacker  Execute System level commands through a Vulnerable Application
Security Testing Techniques (continued…)  Network Scanning  Identifying Active Hosts on a network  Collecting IP addresses that can be accessed over the Internet  Collecting OS Details, System Architecture and Running Services  Collecting Network User and Group names  Collecting Routing Tables and SNMP data  Password Cracking  Collecting Passwords from the Stored or Transmitted Data  Using Brute Force and Dictionary Attacks  Identifying Weak Passwords  Ethical Hacking  Penetration Testing, Intrusion Testing and Red Teaming  File Integrity Testing  Verifying File Integrity against corruption using Checksum
Security Testing Techniques (continued…)  War Dialing  Using a Modem to dial a list of Telephone Numbers  Searching for Computers, Bulletin Board System and Fax Machines  Wireless LAN Testing  Searching for existing WLAN and logging Wireless Access Points  Buffer Overflow Testing  Overwriting of Memory fragments of the Process, Buffers of Char type  Format String Testing  Supplying Format type specifiers in the Application input  Random Data Testing  Random Data Inputs by a Program  Encoded Random Data included as Parameters  Crashing built-in code Assertions
Security Testing Techniques (continued…)  Random Mutation Testing  Bit Flipping of known Legitimate Data  Byte stream Sliding within known Legitimate Data  Session Hijacking  Exploitation of Valid Computer Session  Exploitation of the Web Session control mechanism  Gain unauthorized access to the Web Server  Phishing  Masquerading as a trustworthy entity in an electronic communication  Acquiring usernames, passwords and credit card details  URL Manipulation  Make a web server Deliver inaccessible web pages  URL Rewriting
Security Testing Techniques (continued…)  IP Spoofing  Creating Internet Protocol (IP) packets with a forged source IP address  Packet Sniffing  Capture and Analyze all of the Network traffic  Virtual Private Network Testing  Penetration Testing  Social Engineering  Psychological Manipulation of People  Divulging confidential information
Conclusion  Analyze potential Threat and its Impact  Complete Security Testing may not be Feasible  Collect Information to Secure Business Environment  Should be done as early as possible in the Dev.. Cycle  Should be able to identify the Security Requirements  Have Specific understanding of the Various Processes  Should provide Recommendations to overcome Weakness
Thank You
Contact Details  Email :  vinay.srinivasan@techmahindra.com  srinivasan_vinay@yahoo.com  Phone :  +91-20-42250000 Extn : 25392 5 / 253926  +91-20-66550000 Extn : 25392 5 / 253926  +91-9823104620  Fax :  +91-20-42252501  +91-20-66552501

More Related Content

What's hot (20)

PPTX
Web server security challenges
Martins Chibuike Onuoha
 
PDF
Security in Computing and IT
Komalah Nair
 
PDF
Chapter 3 security principals
newbie2019
 
PPT
Information security
Sathyanarayana Panduranga
 
PDF
Security Testing for Test Professionals
TechWell
 
PDF
Web Server Security Guidelines
webhostingguy
 
PPT
Introduction to Web Server Security
JITENDRA KUMAR PATEL
 
PDF
Client /server security overview
Mohamed Sayed
 
PPT
Security Testing
ISsoft
 
PPT
Intruders and Viruses in Network Security NS9
koolkampus
 
PPTX
Web Server Web Site Security
Steven Cahill
 
PPTX
Top 10 web server security flaws
tobybear30
 
PPTX
VAPT - Vulnerability Assessment & Penetration Testing
Netpluz Asia Pte Ltd
 
PDF
Application security testing an integrated approach
Idexcel Technologies
 
PDF
Why Penetration Testing Services Cyber51
martinvoelk
 
PDF
Mitre ATT&CK and the Mueller GRU Indictment: Lessons for Organizations
Digital Shadows
 
PPTX
Slow Down Online Guessing Attacks with Device Cookies
Anton Dedov
 
PDF
How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...
Edureka!
 
PDF
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
wajug
 
PPTX
Security vulnerability
A. Shamel
 
Web server security challenges
Martins Chibuike Onuoha
 
Security in Computing and IT
Komalah Nair
 
Chapter 3 security principals
newbie2019
 
Information security
Sathyanarayana Panduranga
 
Security Testing for Test Professionals
TechWell
 
Web Server Security Guidelines
webhostingguy
 
Introduction to Web Server Security
JITENDRA KUMAR PATEL
 
Client /server security overview
Mohamed Sayed
 
Security Testing
ISsoft
 
Intruders and Viruses in Network Security NS9
koolkampus
 
Web Server Web Site Security
Steven Cahill
 
Top 10 web server security flaws
tobybear30
 
VAPT - Vulnerability Assessment & Penetration Testing
Netpluz Asia Pte Ltd
 
Application security testing an integrated approach
Idexcel Technologies
 
Why Penetration Testing Services Cyber51
martinvoelk
 
Mitre ATT&CK and the Mueller GRU Indictment: Lessons for Organizations
Digital Shadows
 
Slow Down Online Guessing Attacks with Device Cookies
Anton Dedov
 
How to Become an Ethical Hacker? | Ethical Hacking Career | Ethical Hacker Sa...
Edureka!
 
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
wajug
 
Security vulnerability
A. Shamel
 

Viewers also liked (6)

PDF
Life, librarianship and everything
Ned Potter
 
PDF
The 4 Most Important PowerPoint RULES for Successful Presentations
Ned Potter
 
PDF
How I got 2.5 Million views on Slideshare (by @nickdemey - Board of Innovation)
Board of Innovation
 
PDF
8 Tips for an Awesome Powerpoint Presentation
Slides | Presentation Design Agency
 
PPTX
10 Powerful Body Language Tips for your next Presentation
SOAP Presentations
 
PDF
UX, ethnography and possibilities: for Libraries, Museums and Archives
Ned Potter
 
Life, librarianship and everything
Ned Potter
 
The 4 Most Important PowerPoint RULES for Successful Presentations
Ned Potter
 
How I got 2.5 Million views on Slideshare (by @nickdemey - Board of Innovation)
Board of Innovation
 
8 Tips for an Awesome Powerpoint Presentation
Slides | Presentation Design Agency
 
10 Powerful Body Language Tips for your next Presentation
SOAP Presentations
 
UX, ethnography and possibilities: for Libraries, Museums and Archives
Ned Potter
 
Ad

Similar to Software Security Testing (20)

PDF
Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...
MrityunjayaHikkalgut1
 
PPTX
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Knoldus Inc.
 
PPT
Web Application Security Testing
Marco Morana
 
PDF
NSA and PT
Rahmat Suhatman
 
PPTX
Introduction to information security field
Ahmed Musaad
 
PDF
ISACA T&T Training Week Course Outline
tntsa1972
 
PPTX
Penetration Testing vs. Vulnerability Scanning
SecurityMetrics
 
PPTX
Penetration testing dont just leave it to chance
Dr. Anish Cheriyan (PhD)
 
PPTX
9780840024220 ppt ch09
Kristin Harrison
 
PPTX
Security testing
Rihab Chebbah
 
PDF
Exploring the Key Types of Cybersecurity Testing
jatniwalafizza786
 
PPT
Pentesting hygt frde education of engi.ppt
asranausheenasra
 
PPTX
Applying OWASP web security testing guide (OWSTG)
Vandana Verma
 
PPTX
State of the information security nation
SensePost
 
PPT
CohenNancyPresentation.ppt
mypc72
 
PDF
24 031030davidtillemanssecuresdlcpub-110325054740-phpapp02
Smals
 
PPTX
Application security in a hurry webinar
kdinerman
 
PPTX
Becoming a better pen tester overview
Todd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
PPTX
Phi 235 social media security users guide presentation
Alan Holyoke
 
PPT
Ethical Hacking: Safeguarding Systems through Responsible Security Testing
champubhaiya8
 
Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...
MrityunjayaHikkalgut1
 
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Knoldus Inc.
 
Web Application Security Testing
Marco Morana
 
NSA and PT
Rahmat Suhatman
 
Introduction to information security field
Ahmed Musaad
 
ISACA T&T Training Week Course Outline
tntsa1972
 
Penetration Testing vs. Vulnerability Scanning
SecurityMetrics
 
Penetration testing dont just leave it to chance
Dr. Anish Cheriyan (PhD)
 
9780840024220 ppt ch09
Kristin Harrison
 
Security testing
Rihab Chebbah
 
Exploring the Key Types of Cybersecurity Testing
jatniwalafizza786
 
Pentesting hygt frde education of engi.ppt
asranausheenasra
 
Applying OWASP web security testing guide (OWSTG)
Vandana Verma
 
State of the information security nation
SensePost
 
CohenNancyPresentation.ppt
mypc72
 
24 031030davidtillemanssecuresdlcpub-110325054740-phpapp02
Smals
 
Application security in a hurry webinar
kdinerman
 
Becoming a better pen tester overview
Todd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
Phi 235 social media security users guide presentation
Alan Holyoke
 
Ethical Hacking: Safeguarding Systems through Responsible Security Testing
champubhaiya8
 
Ad

More from srivinayak (13)

PDF
Performance Engineering Requirements
srivinayak
 
PDF
DevOps
srivinayak
 
PDF
Exception handling
srivinayak
 
PDF
Selenium WebDriver with C#
srivinayak
 
PDF
Web Service Testing using TestComplete
srivinayak
 
PDF
Web Service Testing using TestComplete
srivinayak
 
PPT
Script Driven Testing using TestComplete
srivinayak
 
PPT
Keyword Driven Testing using TestComplete
srivinayak
 
PDF
Performance Engineering
srivinayak
 
DOC
Hybrid framework for test automation
srivinayak
 
DOC
Growth Strategy & Direction
srivinayak
 
PPT
Growth Strategy & Direction
srivinayak
 
PPT
Test strategy &-testplanning
srivinayak
 
Performance Engineering Requirements
srivinayak
 
DevOps
srivinayak
 
Exception handling
srivinayak
 
Selenium WebDriver with C#
srivinayak
 
Web Service Testing using TestComplete
srivinayak
 
Web Service Testing using TestComplete
srivinayak
 
Script Driven Testing using TestComplete
srivinayak
 
Keyword Driven Testing using TestComplete
srivinayak
 
Performance Engineering
srivinayak
 
Hybrid framework for test automation
srivinayak
 
Growth Strategy & Direction
srivinayak
 
Growth Strategy & Direction
srivinayak
 
Test strategy &-testplanning
srivinayak
 

Recently uploaded (20)

PDF
Blockchain Transactions Explained For Everyone
CIFDAQ
 
PDF
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
PDF
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
PPTX
AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptx
sameeraaabegumm
 
PDF
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
PPTX
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
PDF
From Code to Challenge: Crafting Skill-Based Games That Engage and Reward
aiyshauae
 
PDF
Presentation - Vibe Coding The Future of Tech
yanuarsinggih1
 
PDF
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
PDF
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
PDF
Mastering Financial Management in Direct Selling
Epixel MLM Software
 
PPTX
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
PPTX
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
PDF
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
PDF
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
PDF
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
PDF
HubSpot Main Hub: A Unified Growth Platform
Jaswinder Singh
 
PDF
CIFDAQ Market Insights for July 7th 2025
CIFDAQ
 
PDF
Achieving Consistent and Reliable AI Code Generation - Medusa AI
medusaaico
 
PPTX
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
Blockchain Transactions Explained For Everyone
CIFDAQ
 
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
AUTOMATION AND ROBOTICS IN PHARMA INDUSTRY.pptx
sameeraaabegumm
 
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
From Code to Challenge: Crafting Skill-Based Games That Engage and Reward
aiyshauae
 
Presentation - Vibe Coding The Future of Tech
yanuarsinggih1
 
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
Mastering Financial Management in Direct Selling
Epixel MLM Software
 
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
HubSpot Main Hub: A Unified Growth Platform
Jaswinder Singh
 
CIFDAQ Market Insights for July 7th 2025
CIFDAQ
 
Achieving Consistent and Reliable AI Code Generation - Medusa AI
medusaaico
 
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 

Software Security Testing

  • 2. By Vinay Srinivasan (Tech Lead) Working At Testing Center of Excellence Laboratory, TechMahindra, Pune
  • 3. Secure Software  Confidentiality  Disclosure of information to only intended parties  Integrity  Determine whether the information is correct or not  Data Security  Privacy  Data Protection  Controlled Access  Authentication  Access to Authorized People  Availability  Ready for Use when expected  Non Repudiation  Information Exchange with proof
  • 4. Software Security  Security of Operating System  Security of Client Software  Security of Application Software  Security of System Software  Security of Database Software  Security of Software Data  Security of Client Data  Security of System Data  Security of Server Software  Security of Network Software
  • 5. Why Security Testing  For Finding Loopholes  For Zeroing IN on Vulnerabilities  For identifying Design Insecurities  For identifying Implementation Insecurities  For identifying Dependency Insecurities and Failures  For Information Security  For Process Security  For Internet Technology Security  For Communication Security  For Improving the System  For confirming Security Policies  For Organization wide Software Security  For Physical Security
  • 6. Approach to Software Security Testing  Study of Security Architecture  Analysis of Security Requirements  Classifying Security Testing  Developing Objectives  Threat Modeling  Test Planning  Execution  Reports
  • 7. Security Testing Techniques  OS Hardening  Configure and Apply Patches  Updating the Operating System  Disable or Restrict unwanted Services and Ports  Lock Down the Ports  Manage the Log Files  Install Root Certificate  Protect from Internet Misuse and be Cyber Safe  Protect from Malware  Vulnerability Scanning  Identify Known Vulnerabilities  Scan Intrusively for Unknown Vulnerabilities
  • 8. Security Testing Techniques (continued…)  Penetration Testing  Simulating Attack from a Malicious Source  Includes Network Scanning and Vulnerability Scanning  Simulates Attack from someone Unfamiliar with the System  Simulates Attack by having access to Source Code, Network, Passwords  Port Scanning and Service Mapping  Identification and locating of Open Ports  Identification of Running Services  Firewall Rule Testing  Identify Inappropriate or Conflicting Rules  Appropriate Placement of Vulnerable Systems behind Firewall  Discovering Administrative Backdoors or Tunnels  SQL Injection  Exploits Database Layer Security Vulnerability  Unexpected Execution of User Inputs
  • 9. Security Testing Techniques (continued…)  Cross Side Scripting  Injecting Malicious Client Side Script into Web Pages  Persistent, Non-Persistent and DOM based Vulnerabilities  Parameter Manipulation  Cookie Manipulation  Form Field Manipulation  URL Manipulation  HTTP Header Manipulation  Denial of Service Testing  Flooding a target machine with enough traffic to make it incapable  Command Injection  Inject and execute commands specified by the attacker  Execute System level commands through a Vulnerable Application
  • 10. Security Testing Techniques (continued…)  Network Scanning  Identifying Active Hosts on a network  Collecting IP addresses that can be accessed over the Internet  Collecting OS Details, System Architecture and Running Services  Collecting Network User and Group names  Collecting Routing Tables and SNMP data  Password Cracking  Collecting Passwords from the Stored or Transmitted Data  Using Brute Force and Dictionary Attacks  Identifying Weak Passwords  Ethical Hacking  Penetration Testing, Intrusion Testing and Red Teaming  File Integrity Testing  Verifying File Integrity against corruption using Checksum
  • 11. Security Testing Techniques (continued…)  War Dialing  Using a Modem to dial a list of Telephone Numbers  Searching for Computers, Bulletin Board System and Fax Machines  Wireless LAN Testing  Searching for existing WLAN and logging Wireless Access Points  Buffer Overflow Testing  Overwriting of Memory fragments of the Process, Buffers of Char type  Format String Testing  Supplying Format type specifiers in the Application input  Random Data Testing  Random Data Inputs by a Program  Encoded Random Data included as Parameters  Crashing built-in code Assertions
  • 12. Security Testing Techniques (continued…)  Random Mutation Testing  Bit Flipping of known Legitimate Data  Byte stream Sliding within known Legitimate Data  Session Hijacking  Exploitation of Valid Computer Session  Exploitation of the Web Session control mechanism  Gain unauthorized access to the Web Server  Phishing  Masquerading as a trustworthy entity in an electronic communication  Acquiring usernames, passwords and credit card details  URL Manipulation  Make a web server Deliver inaccessible web pages  URL Rewriting
  • 13. Security Testing Techniques (continued…)  IP Spoofing  Creating Internet Protocol (IP) packets with a forged source IP address  Packet Sniffing  Capture and Analyze all of the Network traffic  Virtual Private Network Testing  Penetration Testing  Social Engineering  Psychological Manipulation of People  Divulging confidential information
  • 14. Conclusion  Analyze potential Threat and its Impact  Complete Security Testing may not be Feasible  Collect Information to Secure Business Environment  Should be done as early as possible in the Dev.. Cycle  Should be able to identify the Security Requirements  Have Specific understanding of the Various Processes  Should provide Recommendations to overcome Weakness
  • 16. Contact Details  Email :  [email protected][email protected]  Phone :  +91-20-42250000 Extn : 25392 5 / 253926  +91-20-66550000 Extn : 25392 5 / 253926  +91-9823104620  Fax :  +91-20-42252501  +91-20-66552501