Security and Vulnerability Testing How critical it is?

Similar documents
ITEC441- IS Security. Chapter 15 Performing a Penetration Test

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Effective Software Security Management

Network Security Audit. Vulnerability Assessment (VA)

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Penetration Testing Service. By Comsec Information Security Consulting

The Top Web Application Attacks: Are you vulnerable?

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

Rational AppScan & Ounce Products

Passing PCI Compliance How to Address the Application Security Mandates

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Application Security in the Software Development Lifecycle

Where every interaction matters.

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

ensuring security the way how we do it

SENSITIVE AUSTRALIAN SPORTS COMMISSION ATHLETE MANAGEMENT SYSTEM (AMS) SMARTBASE SECURITY TEST PLAN. Final. Version 1.0

A Decision Maker s Guide to Securing an IT Infrastructure

Demystifying Penetration Testing for the Enterprise. Presented by Pravesh Gaonjur

SAST, DAST and Vulnerability Assessments, = 4

Penetration Testing. Types Black Box. Methods Automated Manual Hybrid. oless productive, more difficult White Box

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

Cisco Advanced Services for Network Security

Complete Web Application Security. Phase1-Building Web Application Security into Your Development Process

IMPROVING VULNERABILITY MANAGEMENT EFFECTIVENESS WITH APPLICATION SECURITY MONITORING

CONTENTS. PCI DSS Compliance Guide

Bendigo and Adelaide Bank Ltd Security Incident Response Procedure

Attack and Penetration Testing 101

Technical Testing. Application, Network and Red Team Testing DATA SHEET. Test your security defenses. Expert Testing, Analysis and Assessments

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

Vulnerability management lifecycle: defining vulnerability management

Information Technology Security Review April 16, 2012

Security Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions

GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT

Web Application Report

Cybersecurity and internal audit. August 15, 2014

Penetration Testing Guidelines For the Financial Industry in Singapore. 31 July 2015

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

IBM Managed Security Services Vulnerability Scanning:

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Security vulnerabilities in new web applications. Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant

Penetration Testing Report Client: Business Solutions June 15 th 2015

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

PCI-DSS Penetration Testing

CSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office

INTRODUCTION: PENETRATION TEST A BUSINESS PERSPECTIVE:

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Client logo placeholder XXX REPORT. Page 1 of 37

PATCH MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

THE TOP 4 CONTROLS.

Columbia University Web Security Standards and Practices. Objective and Scope

What is Penetration Testing?

Cyber Essentials. Test Specification

74% 96 Action Items. Compliance

DMZ Gateways: Secret Weapons for Data Security

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

Application Security Testing

SWAT PRODUCT BROCHURE

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

Information Security. Training

Security Testing & Load Testing for Online Document Management system

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0

How To Protect A Web Application From Attack From A Trusted Environment

QuickBooks Online: Security & Infrastructure

Web Application Penetration Testing

Worldwide Security and Vulnerability Management Forecast and 2008 Vendor Shares

Sample Report. Security Test Plan. Prepared by Security Innovation

An Introduction to Network Vulnerability Testing

Secure Web Development Teaching Modules 1. Security Testing. 1.1 Security Practices for Software Verification

BDD FOR AUTOMATING WEB APPLICATION TESTING. Stephen de Vries

Reducing Application Vulnerabilities by Security Engineering

IBX Business Network Platform Information Security Controls Document Classification [Public]

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

IT Professional Standards. Information Security Discipline. Sub-discipline 605 Information Security Testing and Information Assurance Methodologies

Top 20 Critical Security Controls

Web application security: automated scanning versus manual penetration testing.

Concierge SIEM Reporting Overview

PENTEST. Pentest Services. VoIP & Web.

Information Security Services

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

The Roles of Software Testing & QA in Security Testing

National Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement Exit Conference...

New IBM Security Scanning Software Protects Businesses From Hackers

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Presented by Evan Sylvester, CISSP

Network Security and Vulnerability Assessment Solutions

Network Test Labs Inc Security Assessment Service Description Complementary Service Offering for New Clients

GFI White Paper PCI-DSS compliance and GFI Software products

Pentests more than just using the proper tools

G- Cloud Specialist Cloud Services. Security and Penetration Testing. Overview

Transcription:

Security and Vulnerability Testing How critical it is? It begins and ends with your willingness and drive to change the way you perform testing today

Security and Vulnerability Testing - Challenges and Focus Areas In today s unified world with people choosing more and more online channels for carrying out transactions, any breaches in security, whether big or small, results in losing customer confidence and eventually revenue. Further, the security attacks have also risen exponentially, both in quality as well as impact potential. The ability of manipulators to crash into different layers of an application has also increased exponentially, making it uneasy to make systems fail-proof. The problem is further compounded by new applications on cloud and on other similar channels becoming active. In such situations, security testing is the only field which helps a company to find where it is vulnerable and take corrective steps to prevent and fix the gaps in security. Today, increasing number of organizations are undertaking security audits and testing measures for ensuring that their important applications are prevented from any breaches. The more elaborate an organization s security testing ways are, the better are its possibilities of succeeding in an even more threatening technology scenario. Security Testing refers to the complete spectrum of testing programs that are intended to ensure flawless and proper application s functioning in a production environment. It focuses on evaluating different elements of security like confidentiality, integrity, vulnerability, authenticity and continuity. By aiming at the various layers of an Information System across database, infrastructure, access channels like cellphone and networks, security testing makes the applications safe and sound and without vulnerabilities. Today s Security Challenges: Use of more and more online channels for carrying out daily transactions, any breaches in security, whether big or small, results in losing customer confidence and eventually revenue. The ability of manipulators to crash into different layers of an application has also increased exponentially, making it uneasy to make systems fail-proof. Advent of cloud and similar channels becoming active, security problem is further compounded. Confidentiality Integrity Authenticity Vulnerability Elements of Security Continuity 2

Security and Vulnerability Testing - How it is different? Understanding the real time challenges for the security testing is quite important: 1. 2. 3. Significantly larger search space: A security tester or an automation tool has to comply with a very large test space as compared to a functional tester or functional test automation tool. For a tester it is to being able to automate whatever part he can automate, and doing rest as smartly as possible. Most vulnerability is top-priority: In functional testing, trade-offs in coverage and resources can be possible. But in security testing, however, testers don t have this luxury; any trapdoor has the capability of compromising the application. A vulnerability which is there in the rarely used portion of the application has the potential to cause damage similar to that present in application s log-in page. Need to test not-so prominent parts of the application: In contrast to the functional testing, which is mainly concerned with testing exposed parts of the application interface, a security tester must safeguard itself against various unspecified attacks like: An SQL injection attacks via UI controls (e.g. radio-buttons, textboxes, drop-downs, etc.) A hidden post parameter A GET parameter A cookie value 4. 5. Need to safeguard the application from wilful attack: A security tester must consider all the methods that a user may use and willingly damage the application which is being tested. This leads to a large increase in the number of areas that must be tested in security testing. Standard Software release model is not meant for security testing: In the original software release model, the code to be tested comes with a set of build release notes, which contain the list of feature changes in the current release. The functional testing team carries out some Build Verification Tests (BVTs) before conducting the regression test suite from the previous test pass. This approach cannot work for the security test team. Consider, for example, a real scenario where the application being tested maintained the user profile on the server and utilized the session-id as a key for viewing the user s data. A developer wanted to save an additional round trip, so during his next check-in; he stored the data on the client side. It worked, but also a serious vulnerability was introduced. This change was not shown in build release notes because it didn t involve any feature change. If the security tester was not alert, the vulnerability might have made its way to the release product, to be identified only when a client s private data was compromised. We propose that in an ideal scenario, implementation details impacting the security must be documented as part of release notes, comprising: Form parameters names (hidden or else), cookies etc. being utilized on different pages The role of each of these entities (is this used for a database lookup? Does this get used on other pages?) 3

A list of things that have changed since the last release (e.g. Information can get passed utilizing a cookie than a form parameter). The problem here is that the software release procedure has not still matured enough so that these aspects could be documented by default. Until this state of affairs changes, security testers need to look for this information themselves. 6. Difficulty in Security testing automation: It is much more difficult to write tools which automate the testing task of web application security than for conducting application functionality testing. 7. Difficulty in finding testers with correct competencies: Automation tools can only help but not replace the tester of security. Finding the correct set of employees for this role is hence a major challenge. Security testing is an immense complex and difficult to master skill. It involves understanding of implementation details, to be able to see under the hood. Besides this, a security tester must also be bestowed with a number of qualities like working knowledge of many technologies, knowledge of internal implementation details, understanding of internals of web interface, experience with scripting etc. Software Platform (Application Layer) Business Logic (Business Layer) Connectivity, Interoperability (Service Layer) Data Processing and Data Management (Data Layer) Security Testing & Vulnerability Assessment Hosting Infrastructure (On Premise, Cloud, Data Centre) Privacy Management & Policy Implementation Physical Network, Logical Network Operating Systems, Virtual Machines, Native Applications & Services Connectivity Infrastructure & Services Routers, Firewalls, Gateways, IPS / IDS Infrastructure, Software and Data Access Control Policies Implementation and Monitoring Infrastructure, Software and Services 4

Security testing Solution: What are the ways and means of it? An all-inclusive security testing framework comprises of validation across all layers of an application. Initiating with analysis and evaluation of the security of application s infrastructure, it goes further covering the database, network and application exposure layers. Whereas application and mobile testing offers to evaluate security at such levels, cloud penetration testing shows the security slits in the shield, when the application is hosted in the cloud. From an automation point of view, security tests can be categorized as follows: 1. 2. 3. 4. Functional Security Tests: These are mostly same as automated acceptance tests but targeted at verifying that security features like logout and authentication work properly. They can be automated using tools like Selenium/Web driver. Specific non-functional tests against known weaknesses: These include testing known weaknesses and mis-configurations like absence of HTTP Only flag on session cookies, or usage of known weak SSL ciphers and suites. Security scanning of the application and infrastructure: Even manually driven penetration tests start with an automated scan utilizing vulnerability scanning tools such as Nessus, OWASP ZAP and Burp. Nessus is mainly an infrastructure scanner and it tests an IP address and all exposed ports for known weaknesses. Burp Intruder and OWASP ZAP are aimed at web tier and are true application scanners, in which they inspect and test at the HTTP layer by injection of attacked data into parameters and knowing the application s response. Security testing application logic: Automated tools can only go that far in finding security flaws. To find flaws in the application s logic requires a human brain. A human security tester might try tests like: Can I manipulate the HTTP request to bid on an item which has ended? Or Can I manipulate the HTTP request to bid with a high amount, and ultimately modifying the amount to a lesser amount just prior to auction ending? These require ingenuity and experience to discover, but once the attack is defined, they also can be recorded as automated tests and become part of security regression tests. Vulnerability assessment makes an essential component of security testing. Via this, the company can evaluate their application code for vulnerabilities and uptake remedial measures for the same. Recently, most of the software development companies have been utilizing secure software development life cycle procedures to ensure realization and rectification of vulnerability areas prior in the application development process. Various vulnerability assessment phases are: Planning: collecting information required for assessment execution and developing the assessment approach Execution: finding vulnerabilities and validating them when apt. 5

Post-Execution: analyse found vulnerabilities to find root causes, build mitigation recommendations and establishing a final report. Several established methodologies for carrying out various types of security assessments are: 1. Review Techniques: these are examination techniques which are commonly conducted manually. These comprise evaluating systems, policies, applications, procedures to find vulnerabilities. The techniques include: Documentation review Log review Rule-set and system configuration review Network sniffing File integrity checking 2. Target identification and analysis techniques: these are testing techniques, commonly performed utilizing automated tools. These identify systems, services, ports, and potential vulnerabilities. These techniques include: Network discovery Network port and service identification Vulnerability scanning Wireless scanning Application security examination 3. Target Vulnerability Validation Techniques: These are testing techniques that validate the existence of vulnerabilities. These may be performed manually or with automated tools. These techniques include: Penetration testing Password cracking Social engineering Application security testing No-one technique can offer the full picture of security of a system or network. Companies should combine appropriate techniques as there are multiple ways to meet an assessment requirement. 6

Vulnerability Assessment Life Cycle Process Exploit Simulation Result Analysis Attack Simulation Probing Information Gathering Planning In case of technical security assessment for applications, one may be overwhelmed by the number of assessment options. Some of them are: Runtime vulnerability assessment - Runtime assessments are of three varieties: manual, automated and combined. Automated assessments are mostly broader and faster as compared to manual assessments, but mostly miss obscure vulnerabilities and cannot find business logic flaws. Major application security shops go for a combined approach. Source code review - Source code review enables assessors to identify vulnerabilities but require security expertise and knowledge of deep language. Similar to runtime vulnerability assessments, these reviews can also be automated, manual or combined. Threat modelling techniques - these gauge pertinent, theoretical application threats from perspective of design. Threat modelling mostly precedes source-code review or/and run time vulnerability assessments. 7

Selection of the right mix for assessment types is difficult. Mostly companies face this difficulty, and there are number of ways for finding the right application assessment procedure like the Big Bang approach, the Steam roller way, the application triaging approach etc. How TechArcis can help you? Due to high competition, evolution of new technologies and emergence of cloud, conventional methodologies lag behind in maintaining the quality requirements resulting in lesser efficiency and higher costs. We, at TechArcis, offer customized Testing services and Quality Assurance along with solutions for various industries and disruptive technologies. TechArcis offers security testing that helps determine if the data is secure and protected. Our solution helps identify and fix product vulnerabilities, and enables you to deliver robust and secure applications, and enhance end-customer confidence. Stay Connected Join Our Mailing List www.techarcis.com TechArcis Solutions, Inc. Quality Assurance l Testing Transformation l Outsourcing

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information