Functional vs. Load Testing



Similar documents
Barracuda Web Site Firewall Ensures PCI DSS Compliance

Passing PCI Compliance How to Address the Application Security Mandates

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

05.0 Application Development

SQuAD: Application Security Testing

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

Where every interaction matters.

Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard

How to complete the Secure Internet Site Declaration (SISD) form

How To Protect Your Business From A Hacker Attack

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Payment Card Industry Data Security Standards.

Franchise Data Compromise Trends and Cardholder. December, 2010

March

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Introduction: 1. Daily 360 Website Scanning for Malware

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Click&DECiDE s PCI DSS Version 1.2 Compliance Suite Nerys Grivolas The V ersatile BI S o l uti on!

GFI White Paper PCI-DSS compliance and GFI Software products

PCI Data Security Standards (DSS)

Network Segmentation

Effective Software Security Management

How To Protect Your Credit Card Information From Being Stolen

PCI Compliance: Protection Against Data Breaches

The Top Web Application Attacks: Are you vulnerable?

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments

PCI DSS Requirements - Security Controls and Processes

Rational AppScan & Ounce Products

F5 and Microsoft Exchange Security Solutions

How To Protect Your Data From Being Stolen

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Mobile Application Threat Analysis

WEB APPLICATION VULNERABILITY STATISTICS (2013)

Bendigo and Adelaide Bank Ltd Security Incident Response Procedure

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

Catapult PCI Compliance

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

How To Protect A Web Application From Attack From A Trusted Environment

Table of Contents. Page 2/13

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Project Title slide Project: PCI. Are You At Risk?

white SECURITY TESTING WHITE PAPER

Bottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Web Application Security

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

How To Protect Visa Account Information

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices

Application Security in the Software Development Lifecycle

BANKING SECURITY and COMPLIANCE

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0

PCI Requirements Coverage Summary Table

Preventing. Payment Card Fraud. Is your business protected?

A Decision Maker s Guide to Securing an IT Infrastructure

Threat Modeling. Frank Piessens ) KATHOLIEKE UNIVERSITEIT LEUVEN

Frequently Asked Questions

Magento Security and Vulnerabilities. Roman Stepanov

PCI Compliance Updates

Best Practices (Top Security Tips)

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year

Web Application Penetration Testing

Enforcing PCI Data Security Standard Compliance

PCI Requirements Coverage Summary Table

Integrating Security Testing into Quality Control

Need to be PCI DSS compliant and reduce the risk of fraud?

CONTENTS. PCI DSS Compliance Guide

PCI Data Security Standards

The Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development

Becoming PCI Compliant

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

Fortinet Solutions for Compliance Requirements

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Josiah Wilkinson Internal Security Assessor. Nationwide

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

Mingyu Web Application Firewall (DAS- WAF) All transparent deployment for Web application gateway

Protecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems

PCI Compliance: How to ensure customer cardholder data is handled with care

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

SecurityMetrics Vision whitepaper

WHITEPAPER. Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI

Transcription:

Best Practices in Performance & Security Testing March 26, 2009 CVN www.sonata-software.com Functional vs. Load Testing Functional test Objective Functionality Example Do business processes function properly after implementation? Load test Stability Objective Performance Example Will 2,000 concurrent hits crash the server? Is response time acceptable according to specifications? Functionality under load Do business processes function properly under heavy load? Endurance Will this business process sustain 24*7 1 1

Why Performance Testing Change of needs o Applications are built for today s need o Business processes change Business growth o Exponential growth leads to more internal, customers and partners o Disruption is a huge business loss Process changes People changes Technology changes 2 What should be done Build performance expectation into contracts o Response time, no of users, expected business growth, cost of provisioning Should this be a capex or opex? How often should I do this? Identify the critical business processes Test for endurance, twice the expected business load 3 2

How? Identify the critical business processes Identify the applications associated Plan what stage of business are you in o Legacy systems getting exposed to Web? o Pure play ecommerce solutions o Complex architectures o Hub and spoke applications o Packaged ERP Choose the tool that fits the protocol 4 Sample Web Architecture 5 3

Manual Testing is Problematic All of you, click the GO button again Do you have the testing resources? Testing personnel Client machines How do you synchronize users? How do you collect and analyze results? How do you achieve test repeatability? Coordinator Analysis? Web server Database server Testers Load Generation System Under Test 6 Tool based Solution Controller Analysis Overcomes resource limitations Replaces testers with Virtual Users Runs many Vusers on few machines Controller manages the Vusers Meaningful results with analysis tools Repeats tests with scripted actions Vuser host Web server Database server Load Generation System Under Test 7 4

Approach Phase 1 Phase 2 Phase 3 Phase 4 Phase 5 Plan Load Test Create Web Virtual Users Create Scenarios Run Scenarios Analyze System Under Load Tune System Based on Analysis LoadRunner V U G E N LoadRunner C O N T R O L L E R & A N A L Y S I S 8 Plan Load Test System Usage Information Task Distribution Diagram o which business tasks? o how many operations at what times of the day? Transaction Profile o how many operations on average, how many at peaks? o how much database activity? o how much risk to business if task fails? User Profile o which tasks does each real user perform? o what is ratio of different tasks for each user? 9 5

Create Vuser Script Record Vuser Actions Add Load Runner Transactions Parameterize data Verify correct Execution 10 Actions A recorded business process that, when played back, emulates a real user performing the business process actions on a system. Logon (recording optional) User Actions (Business Processes) Logoff (recording optional) vuser_init.c Action1.c, Action2.c, etc. (e.g., Create Order, Ship Order) vuser_end.c This section may be iterated (repeated) during one test run 11 6

Determine which Fields to Parameterize Which fields require a current date? Which fields require unique values? Which fields exercise the database server? Which fields values are dependent for validity on the value of another field? 12 Parameterization Decision-Maker For each field, ask... Is there a unique constraint? Yes No Is there a date constraint? Yes No Does data get cached? No Do not parameterize Is this a data dependent field? No Yes Yes Parameterize Parameterize Parameterize Parameterize 13 7

The Load Runner Solution Provides support for many protocols and APIs 14 CASE STUDY 15 8

Security- Testing Website Attacks and Security Myths 25 Jan, 2009 Monster.com Database Hacked Hackers gained access to confidential details provided by 4.5 million people to Monster.co.uk, the online recruitment site. Private information like names, email ids, and birth dates were stolen CheckFree Warns 5 Million Customers After Hack CheckFree and some of the banks that use its e-bill payment service are notifying more than 5 million customers after criminals hacked their website. Criminals took control of the company's Internet domains and redirected customer traffic to a malicious Web site hosted in the Ukraine. This same technique was used by hackers one year ago, to take control of Comcast's Web site. Security experts believe that CheckFree may have fallen prey to a phishing attack. Some myths regarding web security We use SSL Firewalls protect the web site My network scanner found no issues We have annual security assessments All these measures are network related not application related 17 9

Impact Of Security Non-Compliance Business Interruption leading to o Loss of customers o Loss of revenue o Loss of vendors/partners o Privacy compliance violation Access to Sensitive Information o Loss/unauthorized access to private information Statutory Non-compliance o PCI o SOX Reputation o Loss of credibility in the market Social Responsibility o The website should not be used as a tool for fraud 18 Business Benefits of Security Compliance Enhanced credibility with customers Independent validation of web application security Adherence to statuary compliance standards like PCI DSS Reduction in overall test effort leading to faster time to market and cost reduction. Reduction in test efforts in OWASP compliance testing due to deployment of accelerators, best practices and methods. Reduced business interruptions due to secure web applications Increased credibility with customers and market 10

OWASP: An Overview What is OWASP? Short for Open Web Application Security Project, OWASP is an open source community project set up to develop software tools and knowledge-based documentation for Web application security. The intent is to assist individuals, businesses and agencies in finding and using trustworthy software. o o o o o o Some of the project s work includes: A guide to define security requirements to build secure Web applications. Developing an industry standard testing framework for Web application security. Web Scarab - An open source enterprise-level Web application scanner. Developing a component-based approach to filtering malicious input and output to a Web application. WebGoat & Webmaven- An intentionally insecure web application, users can download and learn from. 20 OWASP Top Ten Threats 11

What is a Cardholder Data Compromise? Hacker taking advantage of a flaw in a system that: Stores, processes or transmits cardholder data Gains Access to: Card Numbers Expiration Dates CVV2/CVC2/CID Track Data Six Goals: Twelve Requirements PCI The Payment Card Industry Data Security Standard Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Implement Strong Access Control Measures 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain Information Security Policy 12. Maintain a policy that addresses information security 12

PCI Non Compliance -The Aftermath In the event of compromise, a merchant must: Have a forensic investigation performed ($10,000 average) Rebuild all systems (following ALL PCI DSS guidelines) Upgrade to the latest version or switch software vendors Pay card re-issuance fees (40,000 cards on average) $25 per card (average) is $1,000,000.00 (average) Pay non-compliance fees ($50,000 average) Be classified as a Level 1 merchant for a year Have a card data removal audit performed ($10,000 average) Have a Level 1 merchant PCI DSS audit performed ($25,000 average) Enhanced Security : Why Security is top priority? Web Applications are the #1 focus of hackers o 75% of attacks are at the application layer (Gartner) o XSS and SQL Injection are the #1 and #2 reported vulnerabilities (Mitre) Most sites are vulnerable o 90% of sites are vulnerable to application attacks (Watchfire) o 78% of the easily exploitable vulnerabilities affected web applications (Symantec) o 80% of organizations will experience and application security incident by 2010 Web apps are high value targets for hackers o Customer data, credit cards, ID Theft, Fraud, site defacement etc Compliance requirements o Payment card industry (PCI) standards o Federal Information Security Management Act (FISMA) o Sarbanes-Oxley Act (SOX) 25 13

Threat Modeling STRIDE & DREAD RATING Category Spoofing Description Allows an attacker to pose as another user,component or other system that has an identity in the system being modeled Tampering The modification of data within the system to achieve a maliciousgoal Repudiation Information Disclosure Denial Of Service The ability of an attacker to deny performing some malicious activity because the system does not have sufficientprivilegeto prove it The exposure of protected data to user that is not otherwise allowed access to that data The exposure of protected data to user that is not otherwise allowed access to that data Occurs when an attacker prevent legitimate users from using the normal functionality of the system. STRIDE CLASSIFICATION: A method of classifying the top ten threats. Category Description Rating Damage Potential Reproducibility Exploitability Ranks the extent of damage that occurs if vulnerability is exploited Ranks how often an attempt at exploiting vulnerability works. Assigns a number to effort required to exploit a vulnerability 1-Low 3-Medium 5-High 1-Low 3-Medium 5-High 1-Low 3-Medium 5-High Affected Users A numeric value 1-Low characterizing the 3-Medium ratio of installed instances of the 5-High system that would be affected if an exploit became widely available Discoverability Measures the 1-Low likelihood that 3-Medium vulnerability will be found by external 5-High researchers, hackers. DREAD RATING: A rating given to the potential vulnerabilities in the application 14

Case Study www.sonata-software.com 28 About Us 12+ years in software testing 500+ Member Testing Team SLA based service offer SonnetTest- Test accelerator Reusable assets SAP/Oracle APPs Accelerators e-signature for Quality Center Monitor Bridge for VMware (LR, PC, BAC, Site Scope) VMware Lab Manager Add-in for Quality Center Domains Travel Telco OSS Manufacturing Financial services Life sciences Software products Sonata - Mercury Relationship Gold Partner since 2004 Best Solution Partner- 2006 29 15

Testing Services Standard Specialized Testing Test Automation Acceptance Testing Functional Testing Performance Testing Tool Based Regression Testing Application Security Testing Script Based Acceptance Testing ERP/CRM Testing UsabilityTesting Requirement Analysis, Test Case Design and Preparation Defect Management Status Reporting Test Plan and Management 30 Thank You 31 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information