Vulnerability Testing Approach - PowerPoint PPT Presentation

1 / 33
About This Presentation
Title:

Vulnerability Testing Approach

Description:

Wikepedia 'Security testing techniques scour for vulnerabilities or security holes in ... These vulnerabilities leave applications open to exploitation. ... – PowerPoint PPT presentation

Number of Views:220
Avg rating:3.0/5.0
Slides: 34
Provided by: csBh
Category:

less

Transcript and Presenter's Notes

Title: Vulnerability Testing Approach


1
Vulnerability Testing Approach
  • Prepared By Phil Cheese
  • Nov 2008

2
Outline
  • Structure of Technology UK Security Team
  • Why we test
  • What we test
  • When we test
  • How we test
  • Demo of a unix platform test
  • Hot topics
  • Questions and Answers

3
UK Technology Security teams
Review New Systems
Vulnerability Testing
Security Monitoring Mail, Logs, IDS, Firewall
4
Definition
  • Penetration testing v Vulnerability testing ?
  • Wikepedia
  • Security testing techniques scour for
    vulnerabilities or security holes in
    applications. These vulnerabilities leave
    applications open to exploitation. Ideally,
    security testing is implemented throughout the
    entire software development life cycle (SDLC) so
    that vulnerabilities may be addressed in a timely
    and thorough manner. Unfortunately, testing is
    often conducted as anafterthought at the end of
    the development cycle.
  • Why ? test against standards, identify
    misconfigurations, old vunerable versions of
    software, test drive
  • Ethics Legality

5
Why testing
  • Preventing financial loss through fraud (hackers,
    extortionists and disgruntled employees) or
    through lost revenue due to unreliable business
    systems and processes.
  • Proving due diligence and compliance to your
    industry regulators, customers and shareholders.
    Non-compliance can result in your organisation
    losing business, receiving heavy fines, gathering
    bad PR or ultimately failing. Protecting your
    brand by avoiding loss of consumer confidence and
    business reputation.
  • vulnerability testing helps shape information
    security strategy through identifying
    vulnerabilities and quantifying their impact and
    likelihood so that they can be managed
    proactively budget can be allocated and
    corrective measures implemented.

6
Defining the scope
  • Full-Scale vs. Targeted Testing
  • Platform, Network, Database, Applications
  • Remote vs. Local Testing
  • In-house v outsourcing

7
Defense in depth
  • Network

8
www.vodafone.co.uk
Network elements e.g SGSNs, HLRs
Sun Solaris Application Server
Redhat Apache Web server
HP-UX Oracle DB
Windows File server
9
Nmap
10
Nessus
11
www.vodafone.co.uk
Network elements e.g SGSNs, HLRs
Sun Solaris Application Server
Redhat Apache Web server
HP-UX Oracle DB
Windows File server
12
Assuria Auditor Console
13
www.vodafone.co.uk
Network elements e.g SGSNs, HLRs
Sun Solaris Application Server
Redhat Apache Web server
HP-UX Oracle DB
Windows File server
14
NGS Squirrel
15
www.vodafone.co.uk
Network elements e.g SGSNs, HLRs
Sun Solaris Application Server
Redhat Apache Web server
HP-UX Oracle DB
Windows File server
16
Appscan
17
Backtrack
18
www.vodafone.co.uk
Network elements e.g SGSNs, HLRs
Sun Solaris Application Server
Redhat Apache Web server
HP-UX Oracle DB
Windows File server
Assuria CLI Remote test (Data Centre)
19
Remote platform vulnerability assessment using
Assuria Auditor workbench via the command line
  • It is better to voyage hopefully than to drive
    to Oldham
  • FTP and install scripts
  • Run scans
  • Copy off raw results files
  • Generate csv files
  • Import results into workbench
  • Review scan results
  • Producing reports
  • Agreeing remedial actions and re-testing

20
Log onto remote server
21
FTP onto a remote server
22
unzip tarball file
23

24
Areas checked by Initial policies
25
Run scans
26
FTP results back to desktop
27
Generate CSV files
28
Import into Workbench
29
Reconcile results
30
Filter results
31
Vulnerability testing - hot topics
  • PCI-DSS keeping Security vendor industry going!
  • https//www.pcisecuritystandards.org/
  • Appliances and automation keep your auditors
    happy
  • http//www.qualys.com/products/qg_suite/
  • http//www.ncircle.com/index.php?sproducts
  • Virtualisation and middleware vulnerabilities
    dont forgetem.
  • http//labs.mwrinfosecurity.com/
  • Exploitation tools Metasploit framework,
    Canvas, Core Impact. BEEF
  • http//www.metasploit.com/
  • http//www.immunitysec.com/
  • http//www.coresecurity.com/
  • http//www.bindshell.net/tools/beef

32
Conclusions
  • In depth, holistic approach to security testing
  • Testing needs to take place during the
    development lifecycle
  • Can be complex and time consuming
  • Outsource specialist testing to third party
    vendors
  • Commercial tools easy to maintain and use but can
    be expensive
  • A fool with a tool is still a fool
  • Results from tools need analysis and put into a
    business risk context

33
Any Questions ?
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Vulnerability Testing Approach" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!