3. Process
Threat model / Testing / Filtering
& Reporting / Automation
Standard
Testing guide / Testing category
Test
Testing type / Testing strategy /
Open source tools
4. Before we start a security test ...
Reporting
● Filter issues
● Assess vulnerabilities
● Report and tracking
Threat Modeling
● Identify business objectives
● Understand your application
● Define threat models
Security Testing
● OWASP Testing Guide V4
● OWASP Application Security
Verification Standard (ASVS) 3.0
● (OWASP Top 10)
● Choose testing scope
● Choose testing strategy
9. OWASP Testing Guide V4
● Information Gathering
● Configuration and Deploy Management Testing
● Identity Management Testing
● Authentication Testing
● Authorization Testing
● Session Management Testing
● Data Validation Testing
● Error Handling
● Cryptography
● Business Logic Testing
● Client Side Testing
10. Network information
Domain / Subdomain / IP
Server information
Service / Framework / Version /
Language
Architecture
API service / Database / Cache
/ Cluster
Information Gathering
11. Information Gathering
Tools
dig / curl / whois
Nmap / Sn1per / Burp
Fingerprint /
Information leakage
OSINT
Google hacking (https://www.exploit-db.com/google-hacking-database)
Shodan (https://www.shodan.io/) / Censys (https://censys.io/)