SOX, BASEl II, PCI-DSS, COBIT… a handy reference

In IT there are certainly enough terms and terminology to confuse even the most studious and astute of us. Add into the mix the standards, acts, laws et al that need to be considered in relation to security testing and the mix certainly thickens.

To help out here’s a quick listing of those that we often come up, with some handy links.

Remember, many of these are not going to apply to your organisation, either because they are US standards or for a different industry sector for example. However, conversely you may need to consider several of them. For example if you are in banking and finance and you hold credit card data you may need to look at SOX, PCI-DSS and GLBA.

We need to know what these acts, standards and benchmarks require in order for an organisation to declare itself compliant to them. In addition you’ll want to factor into your security and compliance testing guidelines from vendors and your own internal standards.

The Test Hats Security Team are experienced in guiding clients through the compliance and auditing process. We have helped build or refine a number of Information Security Management Systems and Security Auditing programmes. Why not get in touch today to see how we can help you.

 

Security Related Acts, Standards and links to information

Read more on the Test Hats website…

 

Penetration Testing – Consider the data…

Deciding that your organisation needs to have a Penetration Test conducted is a great step forward to ensuring overall security of your network. You’ve no doubt carefully considered why you want to conduct penetration testing and identified a range of security goals you want to achieve. Overall the goal will be to ensure the network is secured from potential intrusion and possibly a specific application you’re deploying is secure from unauthorised use and can’t be leveraged to enable exploitation.

Now you’ve decided what you want doing, engaging Test Hats to perform the penetration testing is the wise next step. Our team stand ready to deliver Application Vulnerability Assessments and Penetration Tests for your project. From our fully equipped Test Lab our security technicians can plan and execute the right level of testing to ensure the security of your network and application.

An initial step we take is of course to identify the ‘project sponsor’ who is the responsible authority within your organisation that is requesting and can authorise the penetration testing. This is often not the same person and so we need to ensure we’re clear on this. Very often a Project Manager will request penetration testing at the behest of a Test Manager, but someone like the CTO or Head of Operations needs to authorise.

However, even with relevant authority given to an approved request, there is still another key consideration and that is around data. Before we commence penetration testing we’ll ask two key questions that are often forgotten;

Read more on the Test Hats website…

Regular Testers, get into Security Testing

Over here at Test Hats Towers (hey, it’s a 6 story building we’re in and our bit is called Portal 7) we’ve donned our super hero cloaks and decided to get on a bit of a mission. That mission is to get ‘regular’ functional / system testers to look more closely at security related testing.

Now, security testing is a big field and we’re not expecting testers to suddenly master the entire domain. One responsible step at a time, but steps none the less and not the complete avoidance of security testing we seem to see now. This is the issue we have, too many competent testers are avoiding security related testing altogether. There really is no need for this and as we’ll outline below, it’s a dangerous state of affairs.

As with everything there are some caveats however. The main one is that old-school test case driven testers probably aren’t going to do well, perhaps at auditing, but we’re talking about testing. The preference is for people who have practiced exploratory testing, those are who we want to speak to. We want to talk specifically about Application Security Testing.

Our Argument

Read more on the Test Hats website…

Get up to 20 percent off training at Test Hats

Starting now and until the end of December 2011 we’re going to trial a new discount model for our training.

We’re always looking for ways to collaborate with the testing community, what better way than rewarding support for our training courses. In summary, we’ve come up with a way for you to get up to 20% off training with Test Hats.

Here’s how to qualify for the discounts:

• Book yourself onto either our TC-001 ‘Test Practice’ or TC-002 ‘Test Management’ course before the end of December 2011
• Let others know about the course and encourage them to book a place on the course on the same dates as you

That’s all that’s needed, we’ll then apply discounts to all those who have a confirmed place!

How the discounts work:

Read more on the Test Hats website…

PR: Test Hats announce the launch of their new website

London, UK. 5th September 2011. Test Hats, an independent software testing services provider, with offices in the UK and Spain, announce the launch of their new website today.

The software testing consultancy, Test Hats, today announced the launch of their new website at http://www.testhats.com, which now provides even more in depth information about their services.

According to Mark Crowther, Founder and Principle Test Architect, “The new site now covers all of our services where the old site was more limited. For example, it includes our unique EPOI and DSIS services, training and mentoring and includes a list of our current courses”.

EPOI or ‘Establish and Protect your On-line Identity’, is a bespoke service for those who are looking to expand their presence on the internet. DSIS, of ‘Digital Divorce Intermediary Service’, is for partners and couples who are separating and need digital assets protecting.

“We’re excited to have completed the site upgrade which will now help our future clients learn more about the great range of services we provide” stated Marta Diez, Business Manager. “The site is a lot more narrative compared to our competitors, it reflects our desire to be transparent and inform our clients”.

In all the site provides detailed information on System, Security and Performance testing, including specialist areas such as testing “Mobile & Portable Media” and performing “Test Practice Reviews”. It includes a link to the Test Hats Blog and their Linkedin profile.

“We hope current and future clients will visit the site and learn more about how we can support them in their software testing projects. Be sure to follow us on Linked in or Twitter for other updates” concluded Mark Crowther.

Resources:
http://www.testhats.com/consultancy/epoi-dsis/
http://www.linkedin.com/company/2304362
http://twitter.com/#!/TestHats

Why we’re White Label and why it matters to you

If you visit the Test Hats website and read our About Us page or if you read the Privacy Statement ([Ed]…then you’re missing a lot of good content!), one thing you’ll pick up on is we state Test Hats are a “White Label” company. It goes on to state that we don’t publish Client names unless it’s been agreed as part of a marketing and communications strategy. In our email signature we also have a strap line of “Our Services, Your Brand”.

Over 70% of Test Hats Clients are other testing consultancies, development services providers or agencies engaging or hiring our skilled team members for key roles with their Client’s projects. Of course, this is absolutely commonplace in the industry. There are so many independent testing professionals and SME testing consultancies, that it’s rare a software testing team is all full time employees of a single supplier company. Simply put, supplier companies rarely have the number of staff needed or staff with the specific skills required, that’s where Test Hats comes in.

Many of these sub-contracted companies will immediately head back to their own websites and marketing literature and add the name of the Client’s Client they just did work for. It’s on old trick…

Read more on the Test Hats website…

The Coming Cyber War

It’s been said a number of times that there is a coming Cyber War, mainly it seems between the US and China, but with others involved too. We’ve read constantly in the news about the US and UK police and government agencies bolstering their Cyber War capabilities. A recent article talked about China building their own

When we’re not hearing about a potential cyber war between nation states we’re hearing about cyber terrorism. The idea here is that political and extremist groups are switching to the cyber realm to conduct their operations. These groups could be hacktivists such as Anonymous or terrorists such as Al Qaeda, some may consider them to be the same but let’s make a distinction for the sake of this and future posts.

Read more on the Test Hats website…

Why you don’t use one password for all sites

.This afternoon we saw yet another list of user names, email addresses and passwords published in retaliation by the hacktivist / hacker group Anonymous. This time it’s the turn of the Bay Area Rapid Transport System (BART), http://huff.to/BayHack.

The list is over at http://www.djmash.at/release/users.html and will no doubt be taken down very soon. Here’s a screen shot in case (Warning, some coarse language!)

Read more on the Test Hats website…

Hey Robert, is this your password?

This morning at Test Hats we started building our database of MD5 password hashes and cracks, to help with our Security Testing engagements.

As part of populating this database, we’re loading, encrypting and decrypting password lists. Some of these lists are available from sources such as Imperva, others from various forums and hacker / underground groups we’re part of.

As some of the lists are large, never smaller than say 8-10k passwords in a huge Excel or Text file, it takes some time to go through. That’s where automation comes in handy of course! However, curiosity always creeps in and there’s always the desire to have a look yourself at what passwords people are choosing.

I wrote a little Ruby script to pick out some passwords and parse them for similar characteristics. I decided to pick the name ‘Robert’ from one list and look at how often it came up and in what format. For completeness this includes; Robert, Roberta and Roberto.

Here’s the chart and analysis:

Read more on the Test Hats website…