Security testing aims at verifying 3 basic principles:
- Confidentiality – protecting sensitive information from unauthorized users
- Integrity – protecting information from being tampered
- Availability – providing access to information when needed
Security test case that is not designed around security triad i.e. CIA is not a valid security test.
What we do
Security experts at AFour Technologies employ Static Application Security Techniques (SAST) and Dynamic Application Security Testing (DAST) techniques to discover potential threats that can be targeted by malicious users.
Security testing covers the entire ecosystem of network, host, application and data and a comprehensive security report with severity ratings is provided.
Security Development Lifecycle Process Design
Threat Modeling
Threat modeling is a structured approach to identify, evaluate and mitigate the risks to the system.
Uses STRIDE security development model.
Security Testing Considerations
| Data |
Integrity – Tampering Sniffing Input validation Encryption – Data in Transit Authentication Authorization Encryption – Data at Rest Repudiation |
| Host |
Simulating packet flooding on target for DOS attacks Security patches File entitlements IP tables Unnecessary user accounts Vulnerability scan Availability Security misconfigurations System auditing & event logging Viruses, Trojans, Worms |
| Network |
Port scanning IPS attacks Packet sniffing DoS attacks IP spoofing Traffic anomaly detection Routing tables DNS attacks Eavesdropping |
| Application |
OWASP Top 10 SAST analysis – Static code analysis DAST analysis – Dynamic security testing Denial of Services Buffer overflow Cryptography – Cipher, Key length File corruption Certificate Forgery Third party vulnerabilities Application service accounts Fuzz testing – service crash Application logs Cookie Manipulation Vulnerabilities in application Cross site scripting SQL injections Session hijacking REST API authentication URL manipulation HTTP header manipulation Elevation of privilege Tampering Heartbleed, POODLE, FREAK Application configurations |
| Authentication & Authorization |
User / Role Based Access Control Two Factor Authentication Repudiation File system access DB access, Multi tenancy User audit activity Password policies |
| Cloud Infrastructure Security |
VPC IAM Applications grouped in Security Zones to restrict connections Prevent root logins Restrict DB access further from few hosts Add redundancy of application servers for high availability Provide temporary sudo privileges to few users Lock down ports Security groups – allow access to applications from pvt network or bastion hosts. Not from internet. Host hardening Leverage AMIs for regular security patch management Backup data regularly to mitigate disasters Repudiation |
OWASP TOP 10
Security Tools
Threat Modelling – MS TMT 2016
Static Code Analysis – PMD, Findbugs, Checkstyle
Vulnerability Scanner – Arachni, Nikto, Nessus
Packet Sniffing & Replay – TCPDUMP, Nmap, Tshark, Wireshark
Penetration Testing – Metasploit, OpenVas, ZAP, Kali Linux
REST API – Postman, SOAPUI
Web Application Security – Burpsuite, SQLMap, SQLInjectMe, XSSME, TamperData, commix, Nmap, Zenmap, Hydra, Fiddler, Watobo, SSLScan
Encryption & Cipher Test – GnuGPG, Bitlocker, Openssl, AES Online, md5sum