Chapter 2. Network Security Testing Basics

Security testing is a broad term that means a lot of different things. Often, penetration testing is done remotely, over the network. Not all security testing is penetration testing, though. Sometimes, development teams may want applications tested, including web applications. These web applications may include a number of network services. Sometimes, you may be testing not only networked applications but devices. Both the application and the device may need to be stress-tested to ensure they can handle different types of traffic or even large volumes of traffic.

Understanding how network protocol stacks are defined is essential if you want to perform any sort of network-based security testing. One way of defining protocols, and, more specifically, their interactions, is using the Open Systems Interconnection (OSI) model. Using the OSI model, we can break the communications into different functional elements and see clearly where different pieces of information are added to the network packets as they are being created. Additionally, you can see the interaction from system to system across the functional elements.

Stress testing is not only about generating a lot of traffic and sending it to an application or device. In some cases, you may stress an application or device by sending it data that isn’t expected. Applications, even applications running on limited-use devices (think Internet of Things like thermostats, locks, light switches), ...