This post serves as a review for the domain 6 of the CISSP. This domain covers security testing.
Before we start, here is a list that will help you navigate through the different sections of this domain review.
Assessment and Audit Perspectives
Assessment and audit can be performed from three different perspectives. Each has its pros and cons :
- Advantage : Familiarity with the environment.
- Disadvantage : Bias.
- It can be conducted before a required third-party audit.
- Advantage : Experience, no bias.
- Disadvantage : Expensive.
- It is used for compliance audits.
- When an organization wants to understand the details of the security status of a third-party.
Security Control Testing
First, determine the goals of the testing, and identify the scope.
Vulnerability testing can generate a lot of traffic. So, this impact should be considered before.
Review for false positives, and document all the findings.
There are two types of scans :
- Credentialed : The scanner has access to an account on the tested system that allows it to access parts of the system that are normally hidden to external entities.
- Uncredentialed : The scanner does not have access to an account on the tested system.
The testing tools should conform to :
- SCAP : Security Content Automation Protocol (Developed by NIST)
- OVAL : Open Vulnerability and Assessment Language.
Interpreting and classifying results can be done using :
- CVE : Common Vulnerability Enumeration.
- CVSS : Common Vulnerability Scoring System.
Penetration testing does not only test for vulnerabilities, but it also tries to exploit them.
According to NIST SP 800-115, the phases of penetration testing are :
- Attack. (Includes : Gain access, escalate, system browsing and installing additional tools)
There are two types of penetration testing :
- White Hat (Overt) : The IT team is aware of the test.
- Black Hat (Covert) : The IT team is not aware of the test (But management is fully aware of course).
Reviewing logs can be overwhelming. To help in this, a Security Information and Event Management (SIEM) solution can be used.
You should always check logs for integrity :
- You should have a secure copy.
- Any changes on logs must be logged.
- You should hash logs for integrity checks.
Synthetic transactions are actions run against a monitored system to see how it responds.
- RUM (Real-User Monitoring) : Monitors actual users.
- Synthetic performance monitoring : Using scripts that mimic a typical user. It is also called proactive monitoring.
Code Review and testing
There are a lot of ways and techniques to perform code review and testing. These are some of the common ones that you should know about:
- Manual : Conducted by a human.
- Automatic : Using a software tool.
- Black box : The tester does not have access to the code.
- White box : The tester has access to the code.
- Gray box : The tester has a certain level of knowledge about the inner workings of the system. (Between black box and white box).
- Dynamic : Testing application while running.
- Static : Testing the application without executing it.
For reviewing code, the following methods can be used:
- Pair programming : the first person codes, the second person reviews, and then they switch.
- Over-the-shoulder : One person codes, and another person only reviews.
- Fagan inspection : Formal method of 6 steps : Planning, overview, preparation, meeting, rework and followup.
Use/Misuse case testing
- Use case : Tests based on how the user uses the system.
- Misuse : Tests from the perspective of a malicious user.
- Negative testing
- Tests how the application would behave if there is an unexpected input.
- Opposite : Positive testing.
A fuzzer, or fuzz testing, is a powerful way to test how an application reacts to various inputs. There are two types of fuzz testing: Generation-based and mutation-based.
Test coverage analysis
Test coverage analysis determines the percentage of the code that the testing has covered. There are multiple coverage types :
- Branch coverage
- Condition coverage
- Function coverage
- Loop coverage
- Statement coverage
- Decision coverage
For each type, the test coverage = Tested code / complete application structure.
Ideally, the test coverage should be equal to 100%.
Interface testing tests if the different components of the application operate well with each other.
- KPIs : Key Performance Indicators
- Insight about risks that have previously affected an organization
- KRIs : Key Risk Indicators
- Monitor potential shifts in risks so that management can proactively identify potential impacts on the organization.
- SOC 1: Related to financial reportings
- SOC 2 : Cover one or more of the following trust services
- Trust services
- Processing integrity
- Trust services
- SOC 3 : Same as SOC 2, but released for public. And so, sensitive information is not included in the SOC 3 report.
- SOC 1 and 2 reports can be one of the following types:
- Type I : Covers a specified date. It confirms the design.
- Type II : Covers a period of time (Generally between 6 and 12 months). It addresses the effectiveness of controls.
We have now gone through all items that are covered in the domain 6 of the CISSP. If you notice that there is some important concept that I have forgotten to mention in this review, please let me know in the comments below.