Testing Security

Dec 2017 - Updated Aug 2022

Testing security is something you must do repeatedly. You can’t just test once and call it “secured!”, it doesn’t work like that. However, testing, like security planning itself, if done poorly can cause more harm than good. So, how do you begin to think about testing? How do you factor penetration tests, or red team assessments?

TL;DR

In an ideal world, risk and threats assessments should have informed the approach to security. So, start there. Start by understanding risks and threats, then validate the effectiveness of your security measures and controls against these specific threats.

The Process

Start by performing a risk assessment and identify the key risks based on an industry, organization, or product. Edit: you can begin a good security approach with a conversation about risk. Check the Forward Point Risk Process for simpler approach to this.

Perform a threat model to understand likelihood of those risks happening and assess current controls. Model the attackers to credible ones based on the industry or current trends. Be realistic. Use different threat models done by two or more people to make sure nothing is missed. If needed, use multiple threat models to inform the threat profile.

Build a threat profile you would like to test and assign an adversary to it. Provide a series of possible scenarios and one or two improbable ones to test assumptions.

Perform a red team assessment, or a very targeted penetration test based on the threats and profiles identified.

Review the results and compare against the collection of controls identified in the threat model. Prioritize the work on those controls based on criticality.