Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Forcepoint Secure
Testing Methodology
Contents
Introduction
Penetration Testing
Static Application Security Testing (SAST) & Source Code Analysis (SCA)
www.forcepoint.com
INTRODUCTION
In the mass production process of software, bugs of all types,
including security-related vulnerabilities, are a real possibility.
Therefore, its critical to have a methodology that ensures all possible
vulnerabilities are found in any given software product and are
remediated prior to release.
The Forcepoint Secure Testing Methodology is a crucial part of an
end-to-end process that works in lock-step with Forcepoints Secure
Software Development Lifecycle (SSDLC) - also known as our Secure
Development Process - to ensure security-by-design. Forcepoints
SSDLC includes elements of secure design, secure release and
security education.
05
Security principles
Threat assessments
01
SECURE
DESIGN
SECURE
EDUCATION
Ongoing training
Best practices
Bug bounty
04
Forcepoint
Secure
Development
Process
SECURE
RELEASE
Security approval &
sign-off on all releases
3rd party evaluations
03
Code analysis
Secure technologies
Banned libraries
02
STEP 1
Discovery
STEP 2
Enumeration
STEP 3
Vulnerability
Mapping
Analysis
Identify
Extract
Collect
Profile
Scan
Ping/scan
Services
Intrusive
Mapping
Research
STEP 4
Exploitation
Attack
Penetrate
Compromise
SECURE
CODING
Application testing
Static analysis
Penetration testing
SECURE
TESTING
www.forcepoint.com
PENETRATION TESTING
Penetration testing is a process in which evaluators attempt
to circumvent the security features of a system based on their
understanding of the system design and implementation. The purpose
is to identify methods of gaining access to a system by using common
tools and techniques used by attackers. Penetration testing is an
invaluable part of Forcepoints Secure Testing Methodology and should
only be performed after careful consideration, notification and planning.
Exploitation
The objective of this step is to exploit the vulnerabilities identified in
previous steps. This is done by using several databases documenting
known exploits, including any internally-identified zero-day exploits,
trying to obtain unauthorized access to the systems. Our testers analyze
the previously-identified vulnerabilities and develop an attack strategy.
It is, of course, intrusive by the nature of the activities carried out.
During this phase, testers are focused on identifying common security
flaws that lead to exploitation such as:
Remote code execution
Privileged escalation
Buffer overflow
We subject our security solutions to real-world attacks, which is critical
to reducing the threat surfaces of our products.
DYNAMIC APPLICATION SECURITY TESTING (DAST)
Dynamic application security testing involves testing the application
from the outside in by examining the application in its running
state and attempting to manipulate it in unexpected ways in order
to discover security vulnerabilities. This type of testing identifies
highly-exploitable vulnerabilities such as SQL injection and
cross-site scripting. It also finds runtime issues that cant easily
be found by looking at code in its offline state via static analysis,
such as authentication issues, server misconfiguration issues and
vulnerabilities that are only visible when you log in as a known user.
Figure 2 Forcepoint Dynamic Application Security Testing Approach
STEP 1
STEP 2
Information
Gathering
Configuration
Management
Entry points
Recon
Error codes
HTTP methods
SSL issues
Infrastructure
STEP 5
STEP 6
Authorization
Business Logic
Path traversal
User roles
Permissions
XSS
SQL injection
Business logic
bypass
www.forcepoint.com
STEP 3
Authentication
Brute force
Account
creation
Forgotten
password
STEP 4
Session
Management
Session
fixation
Session
variables
CSRF
Information Gathering
During this step, the tester is focused on gaining a clear understanding
of how the application functions its interaction with the user and other
systems. Various discovery exercises are performed, including web
spidering, user-directed spidering, brute force scanning, etc.
Configuration Management
This step focuses on assessing the infrastructure used in the delivery of
the application (e.g. Tomcat, Apache) as well as any database systems
used to store application data (e.g. Mongo, MySQL) for potential security
vulnerabilities that may lead to reducing the overall integrity of the
application.
Application Testing (e.g. Authentication, Session Management)
The goal of these steps is to identify any application-based
vulnerabilities that could potentially be exploited. These vulnerabilities
are identified using both automated scanning and enumeration tools,
such as IBM AppScan, Burp Suite Professional and OWASP ZAP, as
well manual review procedures. The application testing step focuses
on the review of the following areas:
Client-side controls.
Authentication and authorization mechanisms (e.g. roles and
permissions).
Session management mechanisms.
Input-based filtering.
Business logic.
Use of third-party libraries (e.g. node.js, Angular.js).
Application interfaces (e.g. REST).
During this phase, testers are focused on also identifying common
web application security flaws including:
SQL injection.
Path traversal.
Cross-site Scripting (XSS).
Cross-site Request Forgery (CSRF).
STEP 7
Data Validation
Attack
Exploit
Compromise
CONTACT
PSIRT@forcepoint.com
ABOUT FORCEPOINT
Forcepoint is a trademark of Forcepoint, LLC. SureView, ThreatSeeker and TRITON are registered trademarks of Forcepoint, LLC. Raytheon is a
registered trademark of Raytheon Company. All other trademarks and registered trademarks are property of their respective owners.
[WHITEPAPER_SECURE_TESTING_METHODOLOGY_EN] 200041.042016
www.forcepoint.com