- Gather information which may be useful in specifying tests, such as names of employees, physical addresses, details regarding the internal networks, IP numbers, identity of software or hardware used, and operating system version.
- Perform a vulnerability scan using widely available tools. Such tools are not used directly to compromise the system(s), but to identify vulnerabilities that are, or that may result in, a breach of security policy. Specific vulnerabilities can also be identified using checklists such as those provided by the National Institute of Standards and Technology (NIST).
- Develop “attack plans” (i.e., a plan of testing actions intended to compromise a particular system’s security policy) using the gathered information. Several inputs via various interfaces (e.g., user interface, file system) need to be specified in the attack plans to detect the most severe security faults. The various “attacks” described in are a valuable source of techniques developed specifically for security testing.
Security issues can also be exposed by reviews and/or the use of static analysis tools. Static analysis tools contain an extensive set of rules which are specific to security threats and against which the code is checked. For example, buffer overflow issues, caused by failure to check buffer size before data assignment, can be found by the tool.
Static analysis tools can be used for web code to check for possible exposure to security vulnerabilities such as code injection, cookie security, cross site scripting, resource tampering and SQL code injection.