A Security Testing Process from Scratch

Premise

Build an application security testing process from scratch while challenging my preconceptions and finding the gaps in my knowledge. This is not an attempt to tear-up everything that has come before because I think I can do it better. It is an exercise to identify and clear up gaps in my knowledge and empathize with the authors who have come before. I have never been satisfied with a standard process, so I look forward to exploring different processes and seeing their advantages and disadvantages. When possible, I want to take the path less traveled to find out why. What are my goals? How will I measure success? What are the questions I will try to answer?

Questions

Is there a distinction worth making between HTTP and other protocols? Checklists and loops come up a lot, but can they be merged in a satisfying way? Can a security test be benchmarked in a useful way? Breadth or depth first testing? Coverage will be incomplete, how is it maximized?

Guidance

Standards

ISO, NIST, ENISA, CREST, OWASP, PCI, SWIFT

Research

PortSwigger Top 10, PWNIES, books, zines, bounties, press, academia.

Risk and Impact

What matters? Headlines? Fines? Crimes? Public perceptions?

Threat Modeling

Scoring

CVSS

Tooling

How do we determine whether software is vulnerable? Most efficiently? Most quickly? How do we organize and categorize the tools and techniques? Local, remote, static, dynamic, passive, active? Is this a categorization that matters? What is the value of categorizing these techniques? Do these questions match up with the order of testing vulnerabilities?

Network

Web

Everything Else

Local

Android

iOS

Linux

Windows

Vulnerabilities

In what order should vulnerabilities be tested? Should they be categorized? What is the value in doing any of that? Could the ordering be determined by impact? Always looking for chains? What if we decided only high impact vulnerabilities actually matter? What is the critical vulnerability here? What do we need for it to succeed? Can we get the prerequisites? Loop?