Overview
Application security test aims to verify the security controls if working as expected and proactively checking for new threats, vulnerabilities, and gaps to ensure desired level of security is maintained.
Test Methodology
Security tests should be performed in different levels of software development. Each level have different set of test tool and strategy but focuses a particular area of interest. All activities to perform test cases should align with Security Testing Guideline.
Scope
All new features or change requires a security test as minimum requirement but can be changed upon assessment of business requirement.
Test Cases
The security testing will have:
Unauthenticated Security Testing. This case is non intrusive and tests the current security posture with all the controls in-place to verify everything is working as it should and ensuring desired level of security is achieved. Conducted quarterly
Authenticated Security Testing. This case is non intrusive and tests the actual target without other controls protecting it. This aims to check and verify how resilient the current target to security attacks without any controls. This includes the code review (SAST) to application source code.
Penetration Testing. This case is intrusive and aims to penetrate the target with all the controls in placed. This check and verify how resilient the current target to security attacks including its controls.
Robustness Testing. This case is intrusive and aims to disrupt the operations of the target with all the controls in placed. This verify how robust the application to abuse like denial-of-service (DoS) attacks.
Compliance Posture Testing. This case is non-intrusive and aims to check the existing configurations in the infrastructure if compliant with existing standards like PCI-DSS, NIST, HIPAA, and etc.
Infrastructure Testing. This case is non-intrusive and aims to check the vulnerabilities available in the network infrastructure.
AST-1: Unauthenticated Security Testing
Pre-condition
Target environment is ready and built for security testing
All security and network controls is working.
# | Test Steps | Test Data | Tool |
|---|---|---|---|
1 | Port and Service Scan | nmap -A -sV -p1-65535 <target ip or domain> | NMAP |
2 | Vulnerability Scan | nmap -sV --script vulners <target> Predefined scripts in ZAP Automated / Manual Test | NMAP, OWASP ZAP |
3 | Vulnerability Assessment | Vulnerabilities | CVSS |
Expected Result
Scan result and list of assessed vulnerabilities.
AST-2: Authenticated Security Testing
Pre-condition
Target environment is ready and built for security testing
All security and network controls is bypassed or whitelisted.
Test user accounts created per role.
# | Test Steps | Test Data | Tool |
|---|---|---|---|
1 | Static Analysis | Application Source Code | SonarCube SAST |
2 | Port and Service Scan | nmap -A -sV -p1-65535 <target ip or domain> | NMAP |
3 | Vulnerability Scan | nmap -sV --script vulners <target> Predefined scripts in ZAP Automated / Manual Test | NMAP, OWASP ZAP |
4 | Authenticated Scan | Login accounts, formal inputs, ThreatMapper scripts | OWASP ZAP, Burp Pro, Metasploit Framework, ThreatMapper |
5 | Vulnerability Assessment | Vulnerabilities | CVSS |
Expected Result
Scan result and list of assessed vulnerabilities.
AST-3: Penetration Testing
Pre-condition
Target environment is ready and built for security testing
All security and network controls is working.
Test user accounts created per role.
# | Test Steps | Test Data | Tool |
|---|---|---|---|
1 | Port and Service Scan | nmap -A -sV -p1-65535 <target ip or domain> | NMAP |
2 | Vulnerability Scan | nmap -sV --script vulners <target> Predefined scripts in ZAP Automated / Manual Test | NMAP, OWASP ZAP |
3 | Penetration Test | Login accounts, malicious inputs. (e.g., injection scripts, header forgery, redirection, infected file upload) | OWASP ZAP, Burp Pro, Metasploit Framework, ThreatMapper |
4 | Vulnerability Assessment | Vulnerabilities | CVSS |
Expected Result
Scan result and list of penetrated vulnerabilities.
AST-4: Robustness Testing
Pre-condition
Target environment is ready and built for security testing
All security and network controls is working.
Test user accounts created per role.
# | Test Steps | Test Data | Tool |
|---|---|---|---|
1 | Port and Service Scan | nmap -A -sV -p1-65535 <target ip or domain> | NMAP |
2 | Vulnerability Scan | nmap -sV --script vulners <target> Predefined scripts in ZAP Automated / Manual Test | NMAP, OWASP ZAP |
3 | Robustness Test | Login accounts, informal inputs (e.g., incorrect data type input), API payload | OWASP ZAP, Burp Pro, Postman |
4 | Vulnerability Assessment | Vulnerabilities | CVSS |
Expected Result
Scan result and list of DoS vulnerabilities.
AST-5: Compliance Posture Testing
Pre-condition
Target environment is ready and built for security testing
All security and network controls is working.
# | Test Steps | Test Data | Tool |
|---|---|---|---|
1 | Compliance Posture Scan | Built-in ThreatMapper scripts | ThreatMapper |
2 | Vulnerability Assessment | Vulnerabilities | CVSS |
Expected Result
Scan result and list of compliance gaps.
AST-6: Infrastructure Testing
Pre-condition
Target environment is ready and built for security testing
All security and network controls is working.
# | Test Steps | Test Data | Tool |
|---|---|---|---|
1 | Infrastructure Vulnerability Scan | Built-in ThreatMapper scripts | ThreatMapper |
2 | Vulnerability Assessment | Vulnerabilities | CVSS |
Expected Result
Scan result and list of assessed vulnerabilities.
Attachments:
Screen Shot 2022-09-08 at 5.42.36 PM.png (image/png)
Screen Shot 2022-09-08 at 2.50.37 PM.png (image/png)
Screen Shot 2022-09-08 at 2.54.03 PM.png (image/png)
image-20220913-055713.png (image/png)