Security System Testing

Exposing Bugs in a Security System

To expose bugs, a tester must be able to distinguish expected (normal) from unexpected (buggy) program behavior. While a machine will not always be able to do so, typically a tester will be able to tell the difference between crashing and non-crashing executions in the absence of specifications and be able to use a simple and objective measure.

Crashes can be identified by testing and inspecting and might indicate potential vulnerabilities. However, the absence of an accident does not mean the lack of a weakness.

Security system testing strategies:

  1. Regression and differential testing
  2. Validating static analysis reports
  3. Automated vulnerability scan
  4. Security penetration testing

Regression and Differential Testing

To make a tester more sensitive to failures other than crashes, regression testing and differential testing methods are used. For automated regression testing, generated inputs are executed on two versions of the same program. For automated differential testing, the generated data are performed on two implementations of the same application.

Validating Static Analysis Reports

Static program analysis is the analyzing of a program without actually executing it. This helps prevent false positives where the tool reports problems with the plan that do not exist. Static program analysis combines with dynamic program analysis to try to generate an input that produces the reported problem.

Automated Vulnerability Scan

Vulnerability scans quickly check network ports and services to ascertain the various types and versions of those services and possible configuration issues. This is accomplished by a response to informational comparisons to databases of known vulnerabilities. Automated vulnerability scans are very efficient because of the utilization of pre-discovered vulnerability reports, prioritized by relative severity.

Security Penetration Testing

Penetration testing is a technique that simulates attackers’ capabilities by exploiting flaws and configuration problems or weak security practices or controls. Penetration testing proves more accurate than vulnerability scanning because it confirms if a possible weakness is in fact exploitable.

Security penetration service testers specifically look for poor security practices and subsequently try to exploit the weakness, such as the use of shared passwords, weak passwords, or reuse of passwords not customarily found by an automated scan.

Physical Penetration Test Example

Physical penetration testing involves attempting to gain access to a secure area. For example, an expert might target an electronic access door with no known vulnerabilities and attempt to find procedural weaknesses to bypass the entry controls. The expert observes an authorized entry of an employee, and in doing so, determines that the door doesn’t close entirely for a few seconds. Exploiting this by loitering near the entrance, the expert discretely piggy-backs behind the next employee entering the building.

Once inside, the expert discovers that there is immediate access to the nearby data center because the inside server room entry door is propped open. Additionally, it is noted that the expert’s entry was not detected, which seems to indicate that the video surveillance was not actively monitored.

Choosing the Right Testing Approach for You

Depending on your organization’s risk aversion, regulatory requirements, and the type of information processed, we recommend a customized security testing approach based on your unique situation. Several, but not all, industries are required to comply with government regulations and with specific security standards, so certain tests may not be required for your company. Regardless, all organizations can benefit from security testing, and vulnerability scanning is the right place to start.

How Often Should Security Testing Occur?

Today’s threats are dynamic and unpredictable, with new attack types discovered frequently. At APT .RED, we recommend basic vulnerability scans to be performed often, such as quarterly, monthly, or even more frequently for dynamic networks.

Adding penetration testing to your risk management regimen provides greater assurance that you can identify and address problems before they result in a data breach. Penetration testing requires a more significant investment of time and resources, so it is common for this testing to be performed annually.

Security System Inspections

Why wait until a security breach has occurred to discover your system has a problem? Regularly scheduled inspections can prevent costly security breach losses. To fortify your security system, make sure it is functioning properly with regularly scheduled inspections. We recommend security system inspections at regular intervals to minimize downtime, minimize risk, comply with regulatory requirements, and maintain equipment warranties. APT .RED security inspection plans typically include quarterly, semi-annual, and annual options.