The Roles of Software Testing & QA in Security Testing Hung Q. Nguyen LogiGear, President and CEO Bob Johnson Independent, Security Consultant ASQ-SSQA Presentation, May 14, 2002
Objective To jump start your security testing program for Web sites and Web applications by offering An overview on testing for Web site and Web application security A perspective on the roles and responsibilities of software testing and QA in the security testing effort A forum for other professionals to share their thoughts on this topic
Security Overview Whom are we protecting? Ourselves The people with whom we are doing business or The owners of computer systems The users of those systems
Security Overview What are we protecting? Data Transaction data, user data, information resource, confidential business intelligence, etc. Intellectual properties Products, source code, software, hardware, etc. Resources Network resources, computing resources, etc.
Security Overview Who are the attackers? Black-hat hackers White-hat hackers Gray-hat hackers
Security Overview Why do attackers hack computer systems? To steal To disrupt activities by putting the system out of commission To embarrass by altering the behavior of the system To play a game
Security Overview The goals Security effort is an ongoing process of change, test, and improvement. Because it's impossible to have a perfectly secure system, the goal is to figure out the level of protection that is secure enough for an organization's needs. "Good enough," as narrowly defined, means that the security solutions will cost significantly less than the damage caused by a security breach. At the same time, the ideal solutions are ones that deter persistent intruders by making penetrating the system so difficult and time-consuming that it's not worthwhile as a reward even when their efforts succeed.
Security Overview What are the possible damages? Most of the damages, although not limited to, are financial losses including: Sales losses Property losses Productivity losses Litigation costs Publicity costs
Security Overview The big questions What risks are we willing to take in enduring the possible damages? How much funding are we willing to commit to minimize our risks? What is the objective and budget allocated for testing Web site and Web application security?
Security Overview What are the targets that need security protection? Data Host Network/Intranet Perimeter and additional focus on Internet Application
Common Vulnerabilities Interesting to software testing Information leaks Examples include sensitive information in the HTML pages, error messages, and public database and forums Back doors For example, enabling a logging routine bypassing authentication, or untested debugging routines left in production releases. Buffer overflows Errors might exist in production code, test and debugging code, or third-party code
Common Vulnerabilities Interesting to software testing Cookies Examples include cookie containing ID and password, account number, credit card number and other sensitive information. By changing the values or "poisoning the cookie, attackers can get access to accounts that are not theirs or access to unauthorized information. Stealing the cookie all together might allow attackers to gain access without having to enter I and password or any other methods of authentication. Bad data In coming data can t be trusted
Common Vulnerabilities Interesting to software testing Java scripts CGI For example, client-side checking can be bypassed Cross-site scripting issues For example, manipulating parameters to instruct a CGI to email an ID and password file to any user Java How safe? ActiveX Can make function calls to other DLLs?
Common Vulnerabilities Mildly interesting to software testing Physical attacks Denial-of-service attacks Spoofing attacks Virus and worm attacks Trojan horse attacks For more information www.qacity.com Sample tool list: www.insecure.org
Testing and QA Focus Testing for Web site and Web application security at the application level Testing for vulnerabilities and information leaks due primarily to programming practice, and to certain extends, due to misconfiguration of Web servers and other application-specific servers Test for security side effects Test for functionality side effects
Testing and QA Focus What can we learn from the attacking process? Information gathering? Checking out the system? Cracking the system? What are our objectives? Prevention: Help seeking out vulnerabilities and various means to exploit them so they can be fixed. Detection: Help determining the information that should be logged and mechanisms to track, alert and trap suspicious activities.
Testing and QA Focus What can we learn from the physical world and the digital world? In the physical universe, redundancy such as having additional locks, a security guard sitting by the door, or a badge reader can increase security. In the digital universe, redundancy increases complexity and might create additional vulnerabilities. Often, small utility programs surrounded by many layers of protection provide the security holes that compromise the entire system.
Testing Web Site/Application Security Testing the requirements and designs Testing the code and programming practices Testing interoperability with third-party components with specific focus on known vulnerabilities Testing for misconfiguration Testing the deployment Penetration testing
The Challenges We Face Outlining a clear division of responsibilities with the IT and software development staff in testing for securities Getting adequate resource and support to carry out the testing tasks Keeping up with new technologies and vulnerabilities that they bring Developing and maintaining a knowledge base on an on-going basis on common test techniques for sharing Keeping up with the available tools and their applicability and usefulness in supporting the software security testing
More Information for Testers
Software Testing and QA Roles Open discussion Are we focusing on the right tasks? Should we do more? Should we do less? Any testing techniques you would like to share? Any other thoughts you would like to share?
About LogiGear Corporation LogiGear Corporation is the first Silicon Valley-based software testing company to offer a full range of solutions to advance individual and organizational excellence in software testing. LogiGear offerings include in-depth technical and management expertise in software quality engineering, comprehensive advanced test engineering such as Action Based Testing, a structured approach to testing and testing automation, and outsource testing solutions, skill-based training curriculum for software testing professionals through LogiGear University, and world-class testing support products including TRACKGEAR, a Web-based defect management solution. www.logigear.com