In today’s agile world, every organization is prone to cyber-attacks, as most of the applications have been developed and deployed with more focus on functionality, end user experience and with minimal attention given to security risks. http://www.karyatech.com/blog/security-testing-in-the-secured-world/

1. Testing

2. Security Testing In The
Secured World

3. © KARYA Technologies Inc.

4. © KARYA Technologies Inc.
In today’s agile world, every organization is prone to cyber-attacks, as most of the applications have been developed and
deployed with more focus on functionality, end user experience and with minimal attention given to security risks.
Prominent sites from a number of regulated industries that include Financial Services, Government, Healthcare, and
Retail, are probed daily.
The Consequences of a security breach are great; loss of revenues, damage to credibility, legal liability and loss of
customer trust. Security breaches can happen through network penetration or vulnerabilities in software applications
while developing software. Security testing helps companies to retain their reputation, privacy of sensitive data, customer
confidence and also trust.

5. © KARYA Technologies Inc. 5
What is a Security Testing?
The Security Testing is a process of testing the current security set up to ensure that the test turns out to be successful. In
order for any modern day organization to work properly, it is pretty much mandatory for them to get the following four
things to a perfect place. A lack of any of these may cause serious concerns over the security of the database of a
particular organization.
1. Data Access refers to the accessibility of any data. There are only a few people or a particular individual that is allowed
to access any important database. The data if falls in the hands of an unauthorized individual, it may lead to misuse
which can turn out to be a disaster for any organization.
2. Network Security refers to the level at which a network is secured. There are various levels in Network Security. The
more important the data, the higher should be the level of Network Security.
3. Authentication refers to authenticity of any program. A stage where certain information is revealed to make sure that
people are aware about who is heading or owning a particular program.
4. Encryption is some kind of common information. For example: specific password. Encryption is the last step of a
Security Test and indeed the most pivotal one. If there is a shortcoming in any of these parameters, the test may turn
out to be unsuccessful. In order to ensure smoothness, the importance of a security test is required to be understood
before it's too late.

6. © KARYA Technologies Inc.
Security Testing basically works on six principles:
• Confidentiality
• Integrity
• Authentication
• Authorization
• Availability
• Non-Repudiation
These principles form the corner stone for any test. In order to determine whether your Security Testing is successful or
not. You have to rely on these principles. Sounds similar to that of resource management, but are quite the opposite.
1. Confidentiality is a process where things are kept private. Not everyone or perhaps, no third party is aware of the test.
The matter is kept confidential within an organization.
2. Integrity refers to protecting information so the unauthorized parties aren't able to modify it.
3. Authenticity showcases the legitimacy of any desired software.
4. Authorization cannot be defined better than the access control which is under the hands of a particular individual.
5. Availability refers to the assurance for the provision of information & communication services as and when required.
6. Non-Repudiation is to avoid any conflict between sender and receiver on the basis of ultimate denial. That it when the
Non-Repudiation principle comes into play.

7. © KARYA Technologies Inc.
The aforementioned principles are the basics of testing. Let's learn more about the process.
For every application that has been created, has been done so, with the help of a Database, Structured Query Language
(SQL) forms the basis for this. Now, when all the above principles fall short somewhere, the language becomes vulnerable to
the unauthorized sources.
Now, this takes place due to several reasons. One of the major reason is an organization does not focus on the security
aspects as much as it does on the other aspects such as infrastructure and access codes. The shortfall in the security aspects
leads to its breach.
Different Type of Security Assessment
Application Security Assessment
Application Security Assessment reveals vulnerabilities and configuration flaws that could lead to unauthorized access,
information loss or denial of service. It checks user identification and authentication, input and output validation controls,
and vulnerabilities that exist based on OWASP Standards.

8. © KARYA Technologies Inc.

9. © KARYA Technologies Inc.
Network Security Assessment
The Network Assessment service helps clients identify network related threats, design mitigation steps and improve
security posture. It also involves Network & Server Performance and Configuration Audit, Protocol Analysis, Vulnerability
Assessment and Penetration Testing.
Vulnerability Assessment
Vulnerability Assessment is carried out using Automated Tools that test for a range of potential weaknesses. A selected set
of VA Tools scan specific devices within the organization’s Network and identifies latent vulnerabilities. Scans are executed
on desktops, critical servers and security devices on the network.
Penetration Testing
Penetration Testing is done by simulating the role of an external threat, using information that is publicly available. The
ethical hacking team attempts to penetrate security mechanisms on the perimeter of the network as well as the
mechanisms of access control to the core system.

10. © KARYA Technologies Inc.
ISO 27001 Consulting
One of the key ways to ensure that organizations address key issues relating to information security is by compliance to ISO
27001. It helps clients understand and adopt controls prescribed by the standard, to suit their business needs using a
comprehensive and proven methodology.
BCP / DR Consulting
It’s the consultancy to help clients implement a Business Continuity Plan, based on industry best practices. BS25999 is an
internationally recognized and certifiable standard that establishes the process of Business Continuity Management.
PCI - DSS Consulting
The Payment Card Industry (PCI) - Data Security Standard (DSS) is to encourage and enhance cardholder Data Security. It
helps clients to achieve a level of vigilance with regard to compliance against the PCI - DSS Requirements.

11. © KARYA Technologies Inc.
Advantages of Security Testing
• Combines best practices such as White Box, Gray Box, and Black Box Testing.
• Implements robust processes such as the Application Development and Maintenance (ADM) Philosophy to ensure
Application Security is considered during all phases of the SDLC.
• Rich experience in both Open-Source and Commercial Tools used for Security Testing.
• Tie-up with major tool vendors ensures thorough validation of all aspects related to Security Testing.
• A Comprehensive Testing Mechanism integrates with industry best practices such as the Open Web Application Security
Project (OWASP), SANS and Open-Source Security Testing Methodology Manual (OSSTMM).
• The Security Test consultants are backed by industry certifications such as Certified Information Systems Security
Professional (CISSP), Certified Ethical Hacker (CEH) and ISO 27001 LA.
• Expose weaknesses stemming from the application's relationship to the rest of the IT infrastructure.
• Assess Application Security versus real-world attacks via a variety of manual techniques.
• Identify Security Design Flaws.
• Increase end-user confidence in the application's overall Security.
Learn more about KARYA’s Software Testing Services at www.karyatech.com. You may also email us at
info@karyatech.com.