Whitepaper

Forcepoint Secure
Testing Methodology

Forcepoint Secure Testing Methodology

Contents
Introduction

Penetration Testing

Dynamic Application Security Testing (DAST)

Static Application Security Testing (SAST) & Source Code Analysis (SCA)

Security Testing Strategy

Standards and Guidance

www.forcepoint.com

Forcepoint Secure Testing Methodology

INTRODUCTION
In the mass production process of software, bugs of all types,
including security-related vulnerabilities, are a real possibility.
Therefore, its critical to have a methodology that ensures all possible
vulnerabilities are found in any given software product and are
remediated prior to release.
The Forcepoint Secure Testing Methodology is a crucial part of an
end-to-end process that works in lock-step with Forcepoints Secure
Software Development Lifecycle (SSDLC) - also known as our Secure
Development Process - to ensure security-by-design. Forcepoints
SSDLC includes elements of secure design, secure release and
security education.

05

Security principles
Threat assessments

01

SECURE
DESIGN

SECURE
EDUCATION
Ongoing training
Best practices
Bug bounty

04

Although our testers use well-known testing products such as Nessus,

Metasploit, Canvas and Qualys, were aware that tools are not always
fully capable of mimicking the thought processes and behavior of
human testers. Thats why our testers continually find new methods
of attack, vulnerability mappings, vulnerability combinations and
application logic flaws that can lead to security vulnerabilities. Our
testing methodology emphasizes proprietary manual testing techniques
and vulnerability mapping, and our unique penetration testing approach
is flexible and tailored to meet each assessments particular needs.
Figure 1 Forcepoint Penetration Testing Approach

Forcepoint
Secure
Development
Process

SECURE
RELEASE
Security approval &
sign-off on all releases
3rd party evaluations

03

Code analysis
Secure technologies
Banned libraries

02

STEP 1

Discovery

STEP 2

Enumeration

STEP 3

Vulnerability
Mapping

Analysis
Identify

Extract
Collect

Profile
Scan

Ping/scan

Services
Intrusive

Mapping
Research

STEP 4

Exploitation
Attack
Penetrate
Compromise

SECURE
CODING

Application testing
Static analysis
Penetration testing

SECURE
TESTING

Our methodology includes a number of analytical testing strategies,

such as penetration testing and static code review, based on the type
of environment that requires evaluation application code, appliance
infrastructure, use of third-party libraries, etc.
Forcepoint has assembled a dedicated Product Security Team to
conduct all testing activities for every software product we use,
approve or recommend. This team is made up of experienced
penetration testers, software developers and other security
professionals.

www.forcepoint.com

PENETRATION TESTING
Penetration testing is a process in which evaluators attempt
to circumvent the security features of a system based on their
understanding of the system design and implementation. The purpose
is to identify methods of gaining access to a system by using common
tools and techniques used by attackers. Penetration testing is an
invaluable part of Forcepoints Secure Testing Methodology and should
only be performed after careful consideration, notification and planning.

Discovery & Enumeration

Various tools and techniques are used to determine whether the
network elements are available and actually listening (i.e., active
or alive). Each of the identified IP addresses is port-scanned to
identify the active (and potentially exploitable) network services for
each element. Testers use a combination of browsers, automated tools
such as map, and proprietary scripts to scan for vulnerabilities that
potentially could be exploited.
Vulnerability Mapping
During this step, the tester maps the profile of the environment to
publicly known, or in some cases, un-documented vulnerabilities. One
method that is used to accomplish this step is mapping specific system
attributes against publicly available sources of vulnerability information,
such as US-CERT, MITRE-CVE, OSVDB and Secunia advisories and
vendor security alerts. This allows us to identify whether or not the
product is susceptible to known vulnerabilities and provide information
on potential exploits and anticipate attack vectors.

Forcepoint Secure Testing Methodology

Exploitation
The objective of this step is to exploit the vulnerabilities identified in
previous steps. This is done by using several databases documenting
known exploits, including any internally-identified zero-day exploits,
trying to obtain unauthorized access to the systems. Our testers analyze
the previously-identified vulnerabilities and develop an attack strategy.
It is, of course, intrusive by the nature of the activities carried out.
During this phase, testers are focused on identifying common security
flaws that lead to exploitation such as:
Remote code execution
Privileged escalation
Buffer overflow
We subject our security solutions to real-world attacks, which is critical
to reducing the threat surfaces of our products.
DYNAMIC APPLICATION SECURITY TESTING (DAST)
Dynamic application security testing involves testing the application
from the outside in by examining the application in its running
state and attempting to manipulate it in unexpected ways in order
to discover security vulnerabilities. This type of testing identifies
highly-exploitable vulnerabilities such as SQL injection and
cross-site scripting. It also finds runtime issues that cant easily
be found by looking at code in its offline state via static analysis,
such as authentication issues, server misconfiguration issues and
vulnerabilities that are only visible when you log in as a known user.
Figure 2 Forcepoint Dynamic Application Security Testing Approach

STEP 1

STEP 2

Information
Gathering

Configuration
Management

Entry points
Recon
Error codes

HTTP methods
SSL issues
Infrastructure

STEP 5

STEP 6

Authorization

Business Logic

Path traversal
User roles
Permissions

XSS
SQL injection
Business logic
bypass

www.forcepoint.com

STEP 3

Authentication
Brute force
Account
creation
Forgotten
password

STEP 4

Session
Management
Session
fixation
Session
variables
CSRF

Information Gathering
During this step, the tester is focused on gaining a clear understanding
of how the application functions its interaction with the user and other
systems. Various discovery exercises are performed, including web
spidering, user-directed spidering, brute force scanning, etc.
Configuration Management
This step focuses on assessing the infrastructure used in the delivery of
the application (e.g. Tomcat, Apache) as well as any database systems
used to store application data (e.g. Mongo, MySQL) for potential security
vulnerabilities that may lead to reducing the overall integrity of the
application.
Application Testing (e.g. Authentication, Session Management)
The goal of these steps is to identify any application-based
vulnerabilities that could potentially be exploited. These vulnerabilities
are identified using both automated scanning and enumeration tools,
such as IBM AppScan, Burp Suite Professional and OWASP ZAP, as
well manual review procedures. The application testing step focuses
on the review of the following areas:
Client-side controls.
Authentication and authorization mechanisms (e.g. roles and
permissions).
Session management mechanisms.
Input-based filtering.
Business logic.
Use of third-party libraries (e.g. node.js, Angular.js).
Application interfaces (e.g. REST).
During this phase, testers are focused on also identifying common
web application security flaws including:
SQL injection.
Path traversal.
Cross-site Scripting (XSS).
Cross-site Request Forgery (CSRF).

STEP 7

Data Validation
Attack
Exploit
Compromise

Forcepoint Secure Testing Methodology

STATIC APPLICATION SECURITY TESTING (SAST) & SOURCE CODE

ANALYSIS (SCA)
Static application security testing involves testing the application from
the inside out by examining its source code, byte code or application
binaries for conditions indicative of a security vulnerability. Our
testers perform manual code reviews and/or using an automated
static analysis tool such as HP Fortify Static Code Analyzer and IBM
Rational AppScan Source Edition. Static application security testing
may lead the tester to perform source-code level analysis or SCA. This
testing process involves the manual review of un-compiled source
code. During this process, the tester will focus on identifying, tracking
and recommending solutions to resolve technical and logical security
related flaws in the source code.
SECURE TESTING STRATEGY
The Forcepoint Product Security Team works very closely with the
various teams responsible for the delivery of our products and
services. This includes product engineering, product management,
architecture and design teams as well as quality assurance. At a
minimum, our products and services are rigorously security tested
prior to release. We also subject our products and services to both
internal and external security testing throughout the year independent
of release specifically as new common vulnerabilities are identified
(e.g. Heartbleed), when third-parties release updated libraries, when
new operating system kernels or drivers are released or when there is
an overall need to update our threat models.

CONTACT
PSIRT@forcepoint.com

STANDARDS & GUIDANCE

Our testing methodology and procedures are based upon leading
industry standards. These include the following:
OWASP (Open Web Application Security Project).
OSSTMM (The Open Source Security Testing Methodology Manual).
NIST Special Publication 800-42, Guideline on Network Security
Testing.
NIST Special Publication 800-115, Technical Guide to Information
Security Testing and Assessment.
NSA Infrastructure Evaluation Methodology (IEM).
ISSAF (Information Systems Security Assessment Framework).
Holding our products accountable to the most rigorous standards
and tests in the industry is not only a necessity for todays security
challenges, but its the best approach to developing industry-leading
security products that allow businesses and organizations around the
world to go Forward Without Fear.

ABOUT FORCEPOINT

Forcepoint is a trademark of Forcepoint, LLC. SureView, ThreatSeeker and TRITON are registered trademarks of Forcepoint, LLC. Raytheon is a
registered trademark of Raytheon Company. All other trademarks and registered trademarks are property of their respective owners.
[WHITEPAPER_SECURE_TESTING_METHODOLOGY_EN] 200041.042016

www.forcepoint.com