2 Days

This is a practical course designed to provide a foundation for security testing. You will learn the terminology, the unique issues, and the process for testing security in web and enterprise applications. As a result of attending this seminar, you should be able to understand security issues and have an increased comfort level in testing the security of web-based and enterprise applications.

This is an ideal course for test team managers and leaders who need to understand security testing and how to integrate security testing into existing software testing activities. This is also a foundational course for people seeking further training in security testing, such as the ISTQB Advanced Level Security Tester certification. (This course does not lead to certification and is not a pre-requisite for the ISTQB Advanced Level Security Tester certification)

Foundational Security Testing Methods will help you become more comfortable and confident in dealing with security testing issues. You will emerge from this two-day session knowing how to develop a security testing strategy and security test plan. You will learn the details of how attackers break into system and how to design tests to validate that security is adequate to prevent such attacks. You will also have an understanding of how hackers and attackers think.

The information that your company obtains and stores is perhaps its most valuable corporate asset. Learn how to protect it and make sure protection measures are working in this course.

Return on Investment

Protect your most valuable corporate asset - your data
Understand how the attackers think
Become familiar with information security threats and risks so that you can define effective security tests
Understand which risks are associated with security issues and how they can affect your test planning and execution.
Learn which tools can be used in security testing
Advance your career by broadening your testing expertise.

Who Will Benefit

QA Managers
Test managers
Test analysts
Testers
End users
Web developers
General managers who are responsible for making IT security decisions in their organizations
IT auditors and internal auditors

The program requires basic IT and testing knowledge or experience

Program Information

This course is presented on an in-house basis only unless offered as a live virtual course

To register for the live virtual course: https://www.mysoftwaretesting.com/Foundational_Security_Test_Methods_p/fstmvirt.htm

Topics

Module SECA - Introduction to Computer Security (45 Mins.)

This is an introduction to basic concepts of information security in a variety of environments, including web-based and internal corporate systems. Security will be examined in the light of risks, benefits and threats.

What is Security Testing?
Is Security Testing Possible?
The Risks
- Costs
- National Security
- Business Survival
The Benefits
- Customer Confidence
- National Security
The Threats
- External
- Internal
- COTS-based applications
Who is at Risk?
- Individuals
- Companies
- Government Agencies
- Schools
The Impact of New Technologies
- Cloud
- Mobile
Who Should be Responsible for Security Testing?

Module SECB - Understanding the Attackers (1 Hr.)

By understanding how computer crooks think, security professionals and testers can leverage that information to effectively audit and test systems.

Who are the Attackers?
Motivations of Attackers
What Tools do Attackers Use?
Where do Attackers Meet?
How do they Work?
- The Five Phases of a Security Attack
  - Phase 1 – Reconnaissance
  - Phase 2 – Scanning
  - Phase 3 – Gaining Access
  - Phase 4 – Maintaining Access
  - Phase 5 – Covering Tracks and Hiding

Module SECD - Security Protocols and Techniques (1 Hr.)

There are a variety of security protocols and techniques that are commonly in use. This module examines those techniques and how they work.

Aunthentication and Authorization Methods
Transaction Security Essentials
Encryption Basics
- PKI
- Public Keys
- Private Keys
- How Public Key Encryption Works
- Core PKI Services
- Data Encryption System (DES) File Encryption
VPNs
Digital Certificates
Certification Authorities
Digital Signatures
Data Obfuscation
Firewalls
Anti-virus software
Intrusion detection
SSL
Cookies
Summary

Module SECE - Internet Privacy and Information Privacy (45 mins.)

There is considerable debate as to whether there is such a thing as privacy in the digital age. Even with an assumed level of lack of privacy, there are still significant privacy concerns that individuals and organizations need to be aware of. Lack of attention to privacy concerns can hurt a company's online business or can cause an individual personal losses.

Is There Such a Thing as "Internet Privacy?"
Privacy Threats
- Unprotected data
- Cookies
- Unauthorized sale of data
- Social engineering
- Improper disposal of private data
Privacy Remedies
Information Privacy Concerns - How Crooks Steal and Exploit Sensitive Corporate Information
Corporate Espionage
Protecting Private Information in Internal Systems
- Desktops
- Servers
- Mainframes
- Off-site Storage
Verifying and Validating the Protection of Sensitive Information
- Web-based
- Cloud
- Mobile
- Internal data
- Physical items

Module SECF - A Process for Security Testing (1 Hr.)

This module presents a process for planning, conducting and evaluating security testing.

Determine Test Strategy and Tools
Perform Security Assessment
Develop Security Policy
Identify Security Risks: Functional & Structural
Script Functions To Be Security Tested
Design Automated Security Tests
Perform Test And Report Results

Module SECG - How to Develop a Security Testing Strategy (1 Hr.)

Like other forms of testing, the test strategy is an effective way to define the test objectives, the scope of testing, and the attributes that make testing a particular system or web site unique.

How Testing Fits into an Enterprise Security Process
Questions for Determining a Security Test Strategy
- What are the Security Risks?
- Which Tools are Available for Testing?
- Which Tools are Available for Prevention?
- The Tradeoffs Between Manual and Automated Testing
- Which Kinds of Verification Can be Performed?
- Who Will Perform Security Testing?
- What Kind of Test Environment Will Be Required?
- What Will be the Scope of Security Testing?
- How Will Security Tests Be Evaluated?
- What Constraints Exist for Security Testing?
- When Will Security Testing be Performed?
Exercise - Case Study

Module SECI - Writing a Security Test Plan (1 Hr.)

This module describes how to customize your own security test plan standard and how to use that standard in developing security test plans.

Defining a Security Test Plan Standard
Defining the Scope of Test Planning
Defining Who Will Perform Testing
Assemble Test Planning Information as Defined in the Standard
Reviewing the Plan
Approving the Plan
A Sample Security Test Plan
A Security Test Plan Checklist
Exercise and Discussion - Reviewing the Sample Security Test Plan

Module SECJ - Understanding Security Attacks and Developing Security Test Cases (3 Hrs.)

It's difficult to test anything until you understand it. This module is an extensive coverage of some of the most popular and destructive network-based attacks, how they are performed, how they can be prevented and how you can test to assure that the prevention measures have been adequately applied. Topics include:

External Intrusion
- Network attacks
  - Routers
  - Firewalls
  - Network Mapping
  - Network Scanning
  - Fragmentation
- Weak Passwords
- Social Engineering
Application-based attacks
- Web-based applications
- Boundary overflows
- Backdoors
- Trojan Horses
- RootKits
- Developer Defenses
Language-based Vulnerabilities
Denial-of-Service Attacks
Virus Attacks
Password Hacks
Cookies
Session Tracking
SQL Piggybacking
SQL Injection
URL Redirection (Cross-site Scripting)
Exercise - Developing Security Test Cases

Module SECK - Performing Security Tests (1 Hr.)

Performing security testing can be a difficult and risky effort. This module discusses things to consider in establishing the test environment, communicating the performance of the test, how to view the test results and how to stay out of trouble in performing the test.

Establishing the Test Environment
Penetration Testing
Validating Existing Security Controls
Obtaining Authorization for Security Testing
Language-based Tests
Testing COTS-based Applications
Regression Testing
Reviewing Logs and Alerts
Exercise - Performing Security Tests

Module SECL - Reporting the Results of Security Testing (1 Hr.)

This module presents a standard for security test reporting and a sample security test report.

Reporting Security Vulnerabilities
Developing a Security Test Report Standard
A Sample Security Test Report
Exercise - Writing a Security Test Report

Module SECM - Security Testing Tools (45 mins.)

There are a variety of tools that can be used to detect network vulnerabilities, excessive load levels and other attacker exploits.

Code Scanners
Packet Building
Load and Stress Testing
Network Packet Sniffers
Password Audit Tools
Virus Scanners
Information Querying
Intrusion Detection
Network Monitoring

Module SECL - How to Write a Security Response and Recovery Plan (30 min.)

You've done all you can to prevent an attack, but how will your organization respond to a new type of attack? How will you know the security response plan works? This module presents a standard for a security response and recovery plan. A sample security response and recovery plan will be reviewed and it's applicability determined in light of a case study.

The Role of Testing in Developing a Security Response and Recovery Plan Standard
A Sample Security Response and Recovery Plan
Exercise - Review the Sample Security Response and Recovery Plan
Exercise - Case study

Module SECN - Developing an Action Plan for Security (30 mins)

In this module, you will develop an action plan for yourself and your organization to address security testing.

Identifying Your Greatest Needs
Developing an Action Plan

Foundational Security Testing Methods

2 Days

Latest News

Popular

Buy The Book!