Testing

Chart 3 areas top to bottom. Design and Implementation, Verification and Validation, Operation and Maintenance. 5 blue bars cover ranges. Security risk assessment, Security functional testing, Performance testing, robustness testing, Penetration testing
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf

Types of Tests

Functional Testing

Verifies the actions, behavior and requirements of an application

Requires the functional specification documentation to perform

Describes WHAT the application does

Is performed before non-functional testing

  • Unit test - testing the smallest testable part of any software
  • System test - test of complete and integrated software
  • Integration test - individual units of software are combined and tested as a group
  • Interface test - verifies communication between two different software
  • User acceptance test - system is tested for acceptability
  • Regression test - verifies code change does not have an impact on existing functionality
  • User Interface (UI) / User Experience (UX) test
  • Localization / globalization test
  • White box test
  • Black box test
  • Interoperability test
  • Error condition test

Non-Functional Testing

Verifies the performance and expectation of an application

Needs performance specification documentation to perform

Tests should be measurable

Describes HOW the application works

Is performed after functional testing

  • Performance / efficiency test - extent to which system can handle capacity, quantity and response time
  • Reliability / robustness test - continuously performs the specified function without failure
  • Scalability test - the degree in which a system can expand its process capacity to meet an increase in demand
  • Survivability / availability test - continues to function and recover itself in case of a system failure
  • Usability test - ease at which the user can learn, operate, interact with a system
  • Portability test - flexibility of software to transfer from its current hardware and/or software environment
  • Installation test
  • Volume test       
  • Load / stress / endurance / spike test
  • Compliance test
  • Maintainability test
  • Flexibility test
  • Disaster recovery test

Security Testing

  • Discovery - Analyze scope and threat
  • Vulnerability scan - Automated scan of a system against known vulnerabilities
  • Security scan  - Manual or automated scans to identify network and/or system weaknesses
  • Vulnerability / Security / risk assessment - Testing to analyze the security risks to an organization
  • Penetration test - Simulated attack from a malicious hacker.
  • Security audit - Internal inspection of systems for security flaws
  • Posture assessment - Combines multiple tests to show an overall security posture of an organization
  • Regulatory compliance

Maintenance Testing

  • Regression testing
  • Maintenance testing

Points of attack (sample)

  • Physical device
  • Components
  • Algorithm
  • Firmware
  • Device Driver
  • Operating System
  • Middleware
  • Application
  • Service

Security vs. Complexity

  • Security is orthogonal to functionality
  • More security bugs
  • Modularity
  • Interconnectedness
  • Difficulty of understanding
  • Difficulty of analysis
  • Unfeasibility of patching
  • Difficulty of testing

Word cloud: Large to small- Software, Testing, Plan, System, Beta, code, bugs, Execution, Process, Requirements, Alpha, Tools, respond, Information, Usability, quality, find, approach, analysis, stakeholder, component

Testing components (product) 

  • Design
  • Algorithm 
  • Protocols 
  • Implementation 
  • Configuration 
  • User interface 
  • Procedures 
  • Installation
  • Interaction

Security testing

  • Software based attacks
    • Buffer overflow
    • Too many to list
  • Differential fault analysis
    • Realistic differential attack
    • Reverse engineering
  • Chip based attacks
    • Overwrite attacks
    • Modification attacks
    • Destruction attacks
  • Memory remanence attacks
  • Protocol failures

Simulations and Tabletop Exercises (TTX)

  • Regulators explicitly require operational and tested incident response plans 
    • NIST Cybersecurity Framework – Applies specifically to critical infrastructure players (but also across industries and sectors)
      • Provides for incident response plan testing
    • FFIEC (Finance) – Mandates testing of incident response (IR) plan (as well as DR and BCP) as part of bank examination and audit processes
    • HIPPA (Healthcare) – Provides for auditing of incident response planning process
    • PCI DSS (Retail/Payments) – Requires operational incident response plan
  • Enforcement actions have already begun 
    • Focuses on failure to maintain adequate cybersecurity policies and procedures
      • e.g., first SEC action in 2015 against an investment adviser on this basis

Let us help you change your mindset and address cybersecurity

Cybersecurity