Managing Technical Security Testing - part 1 - introduction
Introduction: business viewpoint
Business has the responsibility to use secure IT solutions. Whether solutions are bought or created their security must have risks within the risk appetite of the company.
Business confidence should be based on proof. Security testing of a system is delivering evidence of the security posture. Security testing includes very diverse methods of testing, in one of the many IT environments, covering specific objectives.
This document presents available security test choices to facilitate discussing a test plan with the security function. The document intends to make the link from objectives to specific tests clear.
To track all testing, a heatmap of all IT components, in the scope of a business owner, and their relationships, are mapped on test data. These include tests performed and planned, date of testing, and test outcomes. The result is a comprehensive overview to manage security testing.
Introduction: security viewpoint
Scope
The CISO function puts a lot of effort into implementing preventive and detective controls for the organization. For judging the security posture of the infrastructure and applications, technical testing provides a view of the actual situation. We will use the shorthand "security testing" for the rest of this document.
There are other forms of testing that will not be addressed here, like red team attacks, social engineering attacks, and physical intrusions. Regulations for critical infrastructure do require these as well.
Overview of the topics for security testing
Why?
There are many triggers for security test, each with their specific targets and objectives. The test scope and the test coverage may not be clear to all parties. That uncertainty could produce a result that does not meet the expectations of the requestor, and worse, that discrepancy may remain hidden to both tester and requestor.
What?
There is a long list of security tests that you could and should perform. Some are more common than others. The scope of the test can be expressed in targets: which targets are included in the tests? The coverage defines precisely the tests that must be done. Finally, the tests may be sampling or comprehensive. In the former case a representative set of items is tested, whereas in the latter, all items on the checklist for all relevant target components are tested. A good example of comprehensive testing is a configuration review against a standard which can be largely automated.
How?
In almost all cases the test duration is fixed (time-boxed testing) which implicates not everything may be tested comprehensively. It may be restricted to sampling the targets as well as the tests on the chosen targets.
Where?
The choice between production, pre-production, testing, or development environments for testing matters for the usefulness of the results. The build-security-in approach embeds testing in all environments.
Reporting and metrics
The reporting on the findings is de technical basis for higher level reporting up to the accountable stakeholder and audit. An action plan to remedy all findings with a risk exceeding the organizations appetite is another deliverable with input from the testing report.
Metrics on the findings allow management to measure progress.
The typical phases and steps of security testing
The phases of a generic security test are:
Trigger
There is a reason why a test is organized.
- Objective and context
What assurance is sought?
- Coverage
There is a lot of variation in coverage possible, therefor the coverage must be precisely defined.
- Tester selection
Security tests are getting more and more specialized. Pick the right skills for the job.
- Planning
Time matters; it is measured in days and hours. Lots of conditions must be met at the start.
- Execution
Security test try to break stuff. Collateral damage is possible. Be prepared.
- Reporting
Meaningful reports for all stakeholders are key.
- Remediation
Do not just point at the problem, guide to the solution.
- Continuous improvement
Spending money on recurring issues is sad. It brings no joy to a pentester either when the next SQL injection vulnerability is uncovered. My moto: A waste of my time, and a waste of your money.
Security Testing project RACI Matrix
