white SECURITY TESTING WHITE PAPER
Contents: Introduction...3 The Need for Security Testing...4 Security Scorecards...5 Test Approach... 11 Framework... 16 Project Initiation Process... 17 Conclusion... 18 Our Expertise... 19 Appendix... 20 References... 21
Introduction Applications or networks always have security leaks which can cause severe damage to companies and lose important data due to these being open to outside world. Application/product security often relate to business-critical information because these require high level of security. But, with considerably less time in delivering the applications/products, thorough security audit and security assessments are often omitted. Because of these security flaws, organizations can go into legal exposure and there could be life ending situation also. Security testing and auditing with proper analysis is necessary and critical in eliminating most of the software flaws. This paper outlines a framework created by ZENQ team and on how security testing takes place in order to establish a strategy and approach by following industry standards.
The Need for Security Testing Implementing information security measures are becoming more difficult due to the huge number of possible information security threats connected to the use of the Internet. Table below describes the % of vulnerabilities across different industries with average number of days to fix the issues Figure 1. The Current state of Web Site Security Sorted by industry
Security Scorecards
MOST COMMON VULNERABILITIES The below figure depicts the most prevalent vulnerability classes calculated based on the percentage occurrence of at least one instance being found within any given website
When Information Security measures are implemented, application should be tested for external intrusion issues using methods like: XSS (Cross site scripting) Failure to restrict URL access Insecure Direct Object Reference Cross Site Request Forgery Direct SQL code injection in the web page SQL injection in the site address (url sql injection) Password cracking using decryption systems Guessing the web site session id (session prediction) Buffer overflow In general there are four basic security requirements which need to be addressed: Confidentiality: Unauthorised users are restricted from viewing the sensitive information. Integrity: Only authorized users or processes are permitted to modify data. Availability: Availability is a requirement that is often neglected when thinking about security. However, productivity of users decreases dramatically if network-based applications are not available or too slow because of denial-of-service attacks. If, for example, a web-based e-learning system is slow, users do not only require more time to do their work, but they also become frustrated, increasing the negative effect on productivity. Non-Repudiation: Users are unable to deny having carried out operations. For instance, whenever grades of students are changed, it must be possible to reliably trace who has performed the modification To overcome these attacks, early and frequent security analysis is needed At ZENQ we perform comprehensive test to make sure that Confidentiality, Integrity & Availability of the application are protected against Security breaches, with our specially designed test approach
Test Approach In order to combat the security threats in applications, the security testing has to be conducted so that appropriate measures can be taken to eliminate vulnerabilities before they are exploited. The Security testing specialists here at ZenQ, have come up with a structured approach for security testing.our approach is based on industry wide standards, best practices and methodologies such as OWASP, WASC, SANS & NIST. Indicated in the Figure1.1 below of the security testing methodology that we follow to minimize the risk of security breach and improve the security stature of the applications under test (AUT) and the phases are briefly described subsequently. Figure 1.1: Process Flow
Phase 1: Threat Modelling The initial phase of conducting penetration testing would include threat modeling of web/mobile applications i.e. to identify threats, attacks, vulnerabilities and countermeasures that could affect the application. The process is two-fold: Define Scope: We begin by gathering information below about the critical assets, target applications from client expectations document and then conduct further evaluation to define scope (Important assets/functionalities and their relative values, Areas of concern to the assets known vulnerabilities, if any) for the testing effort. Threat Profiles: The next step is to list out all the possible threats to the application. In addition, also determine possible goals of the adversary in attacking the application, which in turn would assist in identifying the vulnerabilities that exist as a result of these goals. The identified threats are classified using the STRIDE model and thread profile is created. The Threat profile created will include the following attributes: Asset Critical functionality/feature of the application under test Actor - Who or what may violate security requirements such as confidentiality, integrity and availability of an asset Motive (optional) Indication of whether the actor s intentions are deliberate or accidental Access control How the asset (functionality/feature) will be accessed by the actor Outcome Immediate result of violating the security requirements of an asset i.e. disclosure, modification, destruction, loss, interruption etc.
Phase 2: Test Plan Once the Threat model is reviewed and established, we move forward with the test planning. A detailed test plan will be created will cover overall strategy in execution, deliverables, test cases and effort to conduct penetration testing. Test Strategy: Test Strategy included as a part of the Test Plan, describes the scope, approach, resources and schedule for the testing activities of the project. It also includes defining what will be tested, who will perform testing, how testing will be managed, and the associated risks and contingencies. Test Design: The Probability of occurrence of the event & Risk associated with each occurrence are taken into account when designing the Tests. Test cases: Once the threat profile is ready, the attack techniques to try out are determined, For each threat in the threat profile, we list down all the possible ways of realizing it. For example, we can try to view another user s account information by either an SQL injection attack or by manipulating the request variables or by accessing the information from the browser cache. The complete list of exact test cases that will be tried out for each threat are included as a part of the Test plan. Each test case will specify the page and the variable where the test will be tried out. This detailed test plan serves an important purpose: it ensures a thorough test is carried out and that no attack vector for any threat is left unexplored.
Each Test case will be comprised of the following: Threat scenario Pages/functionalities for which threat will have affect Associated attacks to be performed for each threat scenario Phase 3: Test Execution With the complete test plan reviewed and agreed upon with the client, the penetration software testing activity will be carried out by executing each test case from the test plan. As each test case is executed, there may be a need for more tests to confirm the results. Test Execution includes: Identification of vulnerabilities based on the attack performed, Exploitations, Exfiltration of data, if any
Phase 4: Result Reporting Upon completion of the test execution, root cause analysis will be done and recommendations on how vulnerabilities can be addressed will be determined. Detailed reports will then be prepared, based on which the application can be secured. Following are the reports are provided to the client upon completion of the Testing: Technical Review Report : Along with the vulnerabilities observed, the report also has the details of the impact it would have on the business, ease of exploiting it and risk rating. It also describes how the exploit was carried out with steps and screenshots wherever required and recommendations on how the vulnerability can be fixed. Executive Review Report : A high level report which describes about the process followed in security testing and would also have risk rating of the application from the business perspective. The Risk Rating Matrix that we utilize for ranking the risks is described in the Appendix.
Framework The framework consists of set of components that combine to achieve the structured approach for conducting security tests efficiently and effectively. The logical architecture and set of underlying components of the framework that combine to achieve the structured utilized by ZENQ s Security test team is depicted in the Figure below and the components are briefly explained subsequently.
Project Initiation Process Initial Call Discusses about the Security Testing Service Offering Understands the client requirements Test Proposal Creation of security test proposal Submit the security test proposal for client's approval Penetration Tests Understands the functionality of the application and creates Threat modeling sheet Perform vulnerability assessment using manual and automation tools Exploit the vulnerabilities Reports Create comprehensive audit report with vulnerabilities identified and suggestion on how to resolve these vulnerabilities Compliance certificate that adheres to security standards
Conclusion This paper elucidates the current challenges faced by applications built across different industries and need for security testing in this area. We ve reviewed the current categories, criteria and approaches for security testing to conduct security testing of applications pertaining to various industries. We believe that with our approach, based on industry recognized OWASP guidelines, our clients will be able to thwart and remediate vulnerabilities, which pose serious risk to the applications if not avoided, ensure that compliance with banking, financial and other relevant standards is met and perform their transactions and maximize the return-on-investment.
Our Expertise ZenQ s Security testing team effectively uses the process to identify threats and conduct penetration tests much like an attacker would do. Our Areas of Expertise include: Web Application Penetration Testing Web Services Security Testing Mobile Application Security Testing External Network Security Testing Internal Network Security Testing Secure Code review
Appendix Risk Rating Matrix: RATING DEFINED AS CRITICAL HIGH RISK Serious vulnerabilities that have been exploited or are highly likely to be exploited and/or significant deficiencies in design, implementation or management identified. Vulnerabilities discovered with moderate likelihood of exploitation and/or at least one significant deficiency in design, implementation or management identified. MEDIUM RISK ELEVATED RISK LOW RISK Vulnerabilities discovered with moderate likelihood of exploitation and/or multiple deficiencies in design, implementation or management identified. Vulnerabilities discovered with low likelihood of exploitation and/or minor deficiencies in design, implementation or management identified. No vulnerabilities or deficiencies in design, implementation or management. All patches and service packs have been applied.
References http://www.us-cert.gov/ncas/bulletins/sb11-108 http://repositonum.sdum.uminho.pt/bitstream/182272378//1/dca1j%20-%20mr.pdf http://www.ibm.com/developerworks/security/library/s-overflows/ http://www.mcafee.com/in/mcafee-labs.aspx ZENQ is a Pure Play Testing Services Company based in India. Our highly competent IT Professionals, Domain experts, combined with industry best practices & our investments in state-of-the-art technologies made us a dependable and long-term IT service partner to all our clients. For more details, visit our website www.zenq.com, OR send us an email at info@zenq.com