Platform

Security
Week 2 - 3

Jerome L. Mamansag
Instructor
OVERVIEW
Overview of Platform
Security

Importance of Platform
Security in the Digital
Landscape

Common Threats and

Vulnerabilities

Security Testing

White Box Testing

Black Box Testing

Grey Box Testing

CIA Triad
Overview of
Platform Security
Platform security refers to the comprehensive
security architecture, tools, and processes
implemented to safeguard an entire computing
platform.
It takes a holistic approach, protecting all
components and layers within the platform from
hardware and software to network, storage, and
applications.
Unlike traditional layered security where each
component manages its own security, platform
security offers a unified central system for holistic
protection.
‘’Platform Security is a collection of tools, processes, and an
umbrella architecture that protects an enterprise's whole
computing platform.
Platform security typically relies on a unified set of hardware and
software to safeguard both traditional IT infrastructure and
software-defined hardware, storage, and network components, as
well as the operating systems and applications that run on those
platforms.’’
https://www.vmware.com/topics/platform-security

Platform security offers the protection of a complete platform

through the use of a centralized security architecture or system.
Unlike layered security, which involves each layer/system managing
its own security, platform security secures all components and
layers within a platform. This allows for the elimination of individual
security measures and the usage of numerous
applications/services to protect different layers of an IT
environment.
https://www.techopedia.com/definition/4053/platform-security
Key characteristics
of Platform Security
Centralized architecture: A single system or framework oversees and
manages security across all platform components. (network printer
server, client server model and database serve)

Integrated tools and processes: Security tools like firewalls, intrusion

detection systems, and data encryption work together seamlessly
within the platform. (Customer Relationship Management and ERP)

Holistic protection: All layers and components of the platform are

secured, including hardware, software, network, storage, applications,
and data. (Real time scanning and Firewall protection)

Simplified management: Fewer security solutions to manage reduces

complexity and administrative overhead. (Dashboard and cloud based)

Proactive approach: Platform security emphasizes prevention and threat

detection rather than just reactive defense. ( Software updates and
patches)
Examples of platform security in action:

Cloud platforms: Major cloud providers like AWS, Microsoft Azure, and
Google Cloud Platform offer built-in platform security features,
protecting infrastructure, workloads, and data. (Amazon, Microsoft Azure
and Google Cloud).

Mobile operating systems: iOS and Android offer platform-level security

features like app sandboxing, data encryption, and secure boot to
protect devices and user data. (iOs)

Software development platforms: Platforms like Kubernetes and Docker

include security features like container isolation and vulnerability
scanning to secure the development and deployment process. (Github,
GitLab and Bitbucket)

Enterprise IT infrastructure: Platforms like VMware vSphere provide

centralized security management for virtualized environments,
encompassing servers, storage, and network infrastructure. (Servers,
networking components, storage systems and virtualization technologies)
Benefits of platform
security
Enhanced security posture: A unified and comprehensive
approach strengthens overall platform security.

Reduced risk of cyberattacks: Proactive prevention and

centralized defenses make it harder for attackers to exploit
vulnerabilities

Improved operational efficiency: Simplified management

with fewer security tools to maintain.

Lower costs: Centralized security can offer cost savings

compared to maintaining multiple point solutions.
Vulnerability and Threat
Landscape
Common platform security vulnerabilities: Identifying and
understanding the most prevalent vulnerabilities in
hardware, software, applications, and configuration.

Emerging threats and attack vectors: Staying informed

about new and evolving threats targeting platforms, such
as zero-day exploits, supply chain attacks, and
ransomware.

Risk assessment and management: Learning how to

effectively assess risks within the platform and implement
appropriate mitigation strategies.
Securing Different Platforms

Common platform security vulnerabilities: Identifying and

understanding the most prevalent vulnerabilities in
hardware, software, applications, and configuration.

Emerging threats and attack vectors: Staying informed

about new and evolving threats targeting platforms, such
as zero-day exploits, supply chain attacks, and
ransomware.

Risk assessment and management: Learning how to

effectively assess risks within the platform and implement
appropriate mitigation strategies.
Best Practices and
Implementation:
Secure coding practices: Integrating security into the
software development lifecycle (SDLC) to prevent
vulnerabilities from getting introduced.
Patch management and vulnerability remediation:
Establishing efficient processes for identifying, patching,
and mitigating vulnerabilities across the platform.
Identity and access management (IAM): Implementing
strong IAM controls to manage user access, permissions,
and roles within the platform.
Logging and monitoring: Setting up comprehensive logging
and monitoring systems to detect suspicious activity and
potential security incidents.
Security
Testing
What is Security Testing?

Security testing can be a valuable tool for

developers, helping them to adopt an attacker's
mindset and write more secure code. By actively
seeking out vulnerabilities and exploring potential
attack paths, developers can gain a deeper
understanding of how their applications might be
exploited. This perspective allows them to identify
weaknesses proactively, write code that is less
susceptible to exploitation, and improve their overall
security skills.
Why perform Security testing?
Testing helps to ensure that the Many industries have standards and
software meets the requirements and regulations that require software to
performs as expected. It aids in the be tested. Testing can assist
detection and correction of flaws in organizations in demonstrating
software prior to its release to users, compliance with these standards and
thereby avoiding potential problems avoiding legal or financial penalties.
and increasing user satisfaction.

Testing can help reduce the risks Organizations can use testing to
associated with software failures. identify areas for improvement in their
Organizations can avoid costly recalls, development processes. Teams can
reputational damage, and financial use test results to identify trends,
losses if potential problems are root causes of defects, and
identified and addressed early on. implement measures to prevent
similar issues in the future.
 When to perform Security testing?
A more effective strategy is to incorporate security testing throughout the
entire Software Development Life Cycle (SDLC). This involves integrating
security considerations into each phase of development, from requirements
gathering to deployment.

The benefits of early security testing include:

Reduced Costs: Identifying and fixing vulnerabilities

early in the development process is significantly
cheaper than discovering them after deployment.

Improved Quality: Integrating security testing

throughout the SDLC ensures that the end product
is more secure and reliable.

Enhanced Risk Management: By proactively

identifying and addressing security risks, businesses
can better manage their overall risk exposure.
 White Box Testing

Black Box Testing

SECURITY TESTING

Gray Box Testing

White Box Testing
Is a software testing method in which the tester understands
the software's internal structure, code, and algorithms. This
knowledge enables testers to examine the code directly,
identifying potential vulnerabilities and weaknesses that
attackers may exploit.

is a software testing technique that focuses on the internal

structure, logic, and flow of code. It entails developing test cases
to ensure that the code paths and logic flows are correct and
meet the specified criteria.
 3 types of White box testing

UNIT TESTING INTEGRATION TESTING REGRESSION TESTING

Checks if each part or Examines how different Verifies that changes or

function of the application parts of the application work updates don’t break existing
works correctly. together. functionality.
Ensures the application Done after unit testing to Ensures the application still
meets design requirements make sure components work passes all existing tests
during development. well both alone and together. after updates.
 White Box Testing
Techniques

Statement Coverage Multiple Condition Coverage

Branch Coverage Basis Path Testing

Condition Coverage Loop Testing

Statement Coverage
In this technique, the goal is to go through all statements at least
once. Consequently, each line of code is tested. A flowchart
requires each node to be traversed at least once. Because all
lines of code are covered, it is easier to identify errors.
Advantages of Statement Coverage:
It ensures that at least a portion of the code is tested.
It can help identify errors that other testing techniques may miss.
It is a relatively simple concept to grasp and apply.

Limitation of Statement Coverage:

Insufficient for Complex Logic: For complex logic or nested conditional
statements, statement coverage alone may not be enough to detect
all potential errors.
Dead Code: It does not ensure that all branches of conditional
statements are executed.
False Sense of Security: Achieving 100% statement coverage can
provide a false sense of security because it does not ensure that all
possible paths through the code are tested.
Branch Coverage
Is a testing technique that
ensures that every possible
branch or decision point in
a program is executed at
least once during testing.
This means that all possible
paths through the code are
tested, including both the
"true" and "false" branches
of conditional statements.
Advantages of Branch Coverage:
It ensures that at least a portion of the code is tested.
It can help identify errors that other testing techniques may miss.
It is a relatively simple concept to grasp and apply.

Limitation of Branch Coverage:

Insufficient for Complex Logic: For complex logic or nested conditional
statements, statement coverage alone may not be enough to detect
all potential errors.
Dead Code: It does not ensure that all branches of conditional
statements are executed.
False Sense of Security: Achieving 100% statement coverage can
provide a false sense of security because it does not ensure that all
possible paths through the code are tested.
Condition Coverage
Is a testing method that ensures that all possible outcomes for
each condition in a program are tested at least once. This implies
that both the "true" and "false" branches of conditional statements
are executed.

Multiple Condition Coverage

Is a testing technique that guarantees that all possible
combinations of conditions within a conditional statement are
tested at least once. This means that every possible outcome of
the conditional statement, based on various combinations of
condition values, is addressed.
Basis Path Testing
In this technique, control flow graphs are created from code or
flowcharts, and cyclic complexity is calculated to determine the
number of independent paths, allowing for the design of the fewest
number of test cases for each path.

Loop Testing
Loops are widely used and fundamental to many algorithms, so
their testing is critical. Errors frequently occur at the beginning and
end of loops.
Process White Box Testing
Input: Requirements, Functional
specifications, design documents,
source code.
Processing: Performing risk analysis
to guide through the entire process.
Proper test planning: Designing test
cases to cover the entire code.
Execute rinse-repeat until error-
free software is reached. Also, the
results are communicated.

Processing: Performing risk analysis

to guide through the entire process.
White Testing is performed in 2 Steps

1. Tester should understand the code well.

2. Tester should write some code for test
cases and execute them
Tools required for White box testing:
PyUnit Bugzilla
Sqlmap Fiddler
Nmap JSUnit.net
Parasoft Jtest OpenGrok
Nunit Wireshark
VeraUnit HP Fortify
CppUnit CSUnit
Features of White box Testing
Code coverage analysis: White box testing analyzes
an application's code coverage, identifying areas of
code that are not being tested.

Access to the source code is required for white box

testing, which allows you to test individual functions,
methods, and modules.

Knowledge of programming languages: Testers

performing white box testing must be familiar with
programming languages such as Java, C++, Python,
and PHP in order to understand code structure and
write tests.
Features of White box Testing
Identifying logical errors: White box testing is
useful for detecting logical errors in code,
such as infinite loops or incorrect conditional
statements.
Unit testing: White box testing is also used
for unit testing, which entails testing
individual units of code to ensure they
function properly.
Optimization of code: White box testing can
aid in code optimization by identifying
performance issues, redundant code, and
other areas for improvement.
Features of White box Testing
Security testing: White box testing can also be used for security
testing, as it allows testers to identify any vulnerabilities in the
application’s code.

Verification of Design: It verifies that the software’s internal design is

implemented in accordance with the designated design documents.

Check for Accurate Code: It verifies that the code operates in

accordance with the guidelines and specifications.
Features of White box Testing
Identifying Coding Mistakes: It finds and fix
programming flaws in your code, including
syntactic and logical errors.

Path Examination: It ensures that each

possible path of code execution is explored
and test various iterations of the code.

Determining the Dead Code: It finds and

remove any code that isn’t used when the
programme is running normally (dead
code).
 Advantages of White
Box Testing
Thorough Testing : White box testing is thorough as
the entire code and structures are tested.
Code Optimization: It results in the optimization of
code removing errors and helps in removing extra
lines of code.
Early Detection of Defects: It can start at an earlier
stage as it doesn’t require any interface as in the
case of black box testing.
 Advantages of White Box Testing

Integration with SDLC: White box testing can be easily started

in Software Development Life Cycle.
Detection of Complex Defects: Testers can identify defects
that cannot be detected through other testing techniques.
Comprehensive Test Cases: Testers can create more
comprehensive and effective test cases that cover all code
paths.
Testers can ensure that the code meets coding standards and
is optimized for performance.
 Disadvantages of White Box Testing

Programming Knowledge and Source Code Access: Testers

need to have programming knowledge and access to the
source code to perform tests.
Overemphasis on Internal Workings: Testers may focus too
much on the internal workings of the software and may miss
external issues.
Bias in Testing: Testers may have a biased view of the
software since they are familiar with its internal workings.
 Disadvantages of White Box Testing

Test Case Overhead: Redesigning code and rewriting code

needs test cases to be written again.
Dependency on Tester Expertise: Testers are required to have
in-depth knowledge of the code and programming language as
opposed to black-box testing.
Inability to Detect Missing Functionalities: Missing
functionalities cannot be detected as the code that exists is
tested.
Increased Production Errors: High chances of errors in
production.