Security and Vulnerability Testing How critical it is?

Transcription

1 Security and Vulnerability Testing How critical it is? It begins and ends with your willingness and drive to change the way you perform testing today

2 Security and Vulnerability Testing - Challenges and Focus Areas In today s unified world with people choosing more and more online channels for carrying out transactions, any breaches in security, whether big or small, results in losing customer confidence and eventually revenue. Further, the security attacks have also risen exponentially, both in quality as well as impact potential. The ability of manipulators to crash into different layers of an application has also increased exponentially, making it uneasy to make systems fail-proof. The problem is further compounded by new applications on cloud and on other similar channels becoming active. In such situations, security testing is the only field which helps a company to find where it is vulnerable and take corrective steps to prevent and fix the gaps in security. Today, increasing number of organizations are undertaking security audits and testing measures for ensuring that their important applications are prevented from any breaches. The more elaborate an organization s security testing ways are, the better are its possibilities of succeeding in an even more threatening technology scenario. Security Testing refers to the complete spectrum of testing programs that are intended to ensure flawless and proper application s functioning in a production environment. It focuses on evaluating different elements of security like confidentiality, integrity, vulnerability, authenticity and continuity. By aiming at the various layers of an Information System across database, infrastructure, access channels like cellphone and networks, security testing makes the applications safe and sound and without vulnerabilities. Today s Security Challenges: Use of more and more online channels for carrying out daily transactions, any breaches in security, whether big or small, results in losing customer confidence and eventually revenue. The ability of manipulators to crash into different layers of an application has also increased exponentially, making it uneasy to make systems fail-proof. Advent of cloud and similar channels becoming active, security problem is further compounded. Confidentiality Integrity Authenticity Vulnerability Elements of Security Continuity 2

3 Security and Vulnerability Testing - How it is different? Understanding the real time challenges for the security testing is quite important: Significantly larger search space: A security tester or an automation tool has to comply with a very large test space as compared to a functional tester or functional test automation tool. For a tester it is to being able to automate whatever part he can automate, and doing rest as smartly as possible. Most vulnerability is top-priority: In functional testing, trade-offs in coverage and resources can be possible. But in security testing, however, testers don t have this luxury; any trapdoor has the capability of compromising the application. A vulnerability which is there in the rarely used portion of the application has the potential to cause damage similar to that present in application s log-in page. Need to test not-so prominent parts of the application: In contrast to the functional testing, which is mainly concerned with testing exposed parts of the application interface, a security tester must safeguard itself against various unspecified attacks like: An SQL injection attacks via UI controls (e.g. radio-buttons, textboxes, drop-downs, etc.) A hidden post parameter A GET parameter A cookie value Need to safeguard the application from wilful attack: A security tester must consider all the methods that a user may use and willingly damage the application which is being tested. This leads to a large increase in the number of areas that must be tested in security testing. Standard Software release model is not meant for security testing: In the original software release model, the code to be tested comes with a set of build release notes, which contain the list of feature changes in the current release. The functional testing team carries out some Build Verification Tests (BVTs) before conducting the regression test suite from the previous test pass. This approach cannot work for the security test team. Consider, for example, a real scenario where the application being tested maintained the user profile on the server and utilized the session-id as a key for viewing the user s data. A developer wanted to save an additional round trip, so during his next check-in; he stored the data on the client side. It worked, but also a serious vulnerability was introduced. This change was not shown in build release notes because it didn t involve any feature change. If the security tester was not alert, the vulnerability might have made its way to the release product, to be identified only when a client s private data was compromised. We propose that in an ideal scenario, implementation details impacting the security must be documented as part of release notes, comprising: Form parameters names (hidden or else), cookies etc. being utilized on different pages The role of each of these entities (is this used for a database lookup? Does this get used on other pages?) 3

4 A list of things that have changed since the last release (e.g. Information can get passed utilizing a cookie than a form parameter). The problem here is that the software release procedure has not still matured enough so that these aspects could be documented by default. Until this state of affairs changes, security testers need to look for this information themselves. 6. Difficulty in Security testing automation: It is much more difficult to write tools which automate the testing task of web application security than for conducting application functionality testing. 7. Difficulty in finding testers with correct competencies: Automation tools can only help but not replace the tester of security. Finding the correct set of employees for this role is hence a major challenge. Security testing is an immense complex and difficult to master skill. It involves understanding of implementation details, to be able to see under the hood. Besides this, a security tester must also be bestowed with a number of qualities like working knowledge of many technologies, knowledge of internal implementation details, understanding of internals of web interface, experience with scripting etc. Software Platform (Application Layer) Business Logic (Business Layer) Connectivity, Interoperability (Service Layer) Data Processing and Data Management (Data Layer) Security Testing & Vulnerability Assessment Hosting Infrastructure (On Premise, Cloud, Data Centre) Privacy Management & Policy Implementation Physical Network, Logical Network Operating Systems, Virtual Machines, Native Applications & Services Connectivity Infrastructure & Services Routers, Firewalls, Gateways, IPS / IDS Infrastructure, Software and Data Access Control Policies Implementation and Monitoring Infrastructure, Software and Services 4

5 Security testing Solution: What are the ways and means of it? An all-inclusive security testing framework comprises of validation across all layers of an application. Initiating with analysis and evaluation of the security of application s infrastructure, it goes further covering the database, network and application exposure layers. Whereas application and mobile testing offers to evaluate security at such levels, cloud penetration testing shows the security slits in the shield, when the application is hosted in the cloud. From an automation point of view, security tests can be categorized as follows: Functional Security Tests: These are mostly same as automated acceptance tests but targeted at verifying that security features like logout and authentication work properly. They can be automated using tools like Selenium/Web driver. Specific non-functional tests against known weaknesses: These include testing known weaknesses and mis-configurations like absence of HTTP Only flag on session cookies, or usage of known weak SSL ciphers and suites. Security scanning of the application and infrastructure: Even manually driven penetration tests start with an automated scan utilizing vulnerability scanning tools such as Nessus, OWASP ZAP and Burp. Nessus is mainly an infrastructure scanner and it tests an IP address and all exposed ports for known weaknesses. Burp Intruder and OWASP ZAP are aimed at web tier and are true application scanners, in which they inspect and test at the HTTP layer by injection of attacked data into parameters and knowing the application s response. Security testing application logic: Automated tools can only go that far in finding security flaws. To find flaws in the application s logic requires a human brain. A human security tester might try tests like: Can I manipulate the HTTP request to bid on an item which has ended? Or Can I manipulate the HTTP request to bid with a high amount, and ultimately modifying the amount to a lesser amount just prior to auction ending? These require ingenuity and experience to discover, but once the attack is defined, they also can be recorded as automated tests and become part of security regression tests. Vulnerability assessment makes an essential component of security testing. Via this, the company can evaluate their application code for vulnerabilities and uptake remedial measures for the same. Recently, most of the software development companies have been utilizing secure software development life cycle procedures to ensure realization and rectification of vulnerability areas prior in the application development process. Various vulnerability assessment phases are: Planning: collecting information required for assessment execution and developing the assessment approach Execution: finding vulnerabilities and validating them when apt. 5

6 Post-Execution: analyse found vulnerabilities to find root causes, build mitigation recommendations and establishing a final report. Several established methodologies for carrying out various types of security assessments are: 1. Review Techniques: these are examination techniques which are commonly conducted manually. These comprise evaluating systems, policies, applications, procedures to find vulnerabilities. The techniques include: Documentation review Log review Rule-set and system configuration review Network sniffing File integrity checking 2. Target identification and analysis techniques: these are testing techniques, commonly performed utilizing automated tools. These identify systems, services, ports, and potential vulnerabilities. These techniques include: Network discovery Network port and service identification Vulnerability scanning Wireless scanning Application security examination 3. Target Vulnerability Validation Techniques: These are testing techniques that validate the existence of vulnerabilities. These may be performed manually or with automated tools. These techniques include: Penetration testing Password cracking Social engineering Application security testing No-one technique can offer the full picture of security of a system or network. Companies should combine appropriate techniques as there are multiple ways to meet an assessment requirement. 6

7 Vulnerability Assessment Life Cycle Process Exploit Simulation Result Analysis Attack Simulation Probing Information Gathering Planning In case of technical security assessment for applications, one may be overwhelmed by the number of assessment options. Some of them are: Runtime vulnerability assessment - Runtime assessments are of three varieties: manual, automated and combined. Automated assessments are mostly broader and faster as compared to manual assessments, but mostly miss obscure vulnerabilities and cannot find business logic flaws. Major application security shops go for a combined approach. Source code review - Source code review enables assessors to identify vulnerabilities but require security expertise and knowledge of deep language. Similar to runtime vulnerability assessments, these reviews can also be automated, manual or combined. Threat modelling techniques - these gauge pertinent, theoretical application threats from perspective of design. Threat modelling mostly precedes source-code review or/and run time vulnerability assessments. 7

8 Selection of the right mix for assessment types is difficult. Mostly companies face this difficulty, and there are number of ways for finding the right application assessment procedure like the Big Bang approach, the Steam roller way, the application triaging approach etc. How TechArcis can help you? Due to high competition, evolution of new technologies and emergence of cloud, conventional methodologies lag behind in maintaining the quality requirements resulting in lesser efficiency and higher costs. We, at TechArcis, offer customized Testing services and Quality Assurance along with solutions for various industries and disruptive technologies. TechArcis offers security testing that helps determine if the data is secure and protected. Our solution helps identify and fix product vulnerabilities, and enables you to deliver robust and secure applications, and enhance end-customer confidence. Stay Connected Join Our Mailing List TechArcis Solutions, Inc. Quality Assurance l Testing Transformation l Outsourcing