May 6, 2012
A Complete Guide on Security Testing and its Benefits
There are a number of definitions and terminology in the world of security testing. Many make the choice to cut corners and include security constraints as functional requirements and test these in the same way other functional requirements are tested. Others simply shift the entire security responsibility to an external provider. This may prove to be a cost cutter in the short run, but the actual costs of reducing your security consciousness may not be so favourable in the end.
To implement and maintain a secure software application, dedicated security testing is essential.
Software security is concerned with making software behave and operate in the presence of a malicious attack, even though realistically speaking, most software failures usually occur spontaneously and without any intentional wrongdoing.
Perhaps unsurprisingly, for a time, many were only concerned with what happens when software fails, regardless of the intent. The difference between software safety and software security is therefore the presence of an intelligent adversary with a motivation to break the system.
Security is deemed to be relative to the information and services being protected, the assumed skills and resources of malefactors as well as the costs of any potential assurance remedies. Owing to this, security can be thought of as an exercise in risk management. Risk analysis, most especially at the design stage, can help in identifying any potential security problems as well as their impact. Once these have been identiﬁed and ranked, these risks can help guide software security testing.
When we speak of a vulnerability, what is meant is that an error which can be exploited by an attacker is present. Although many types of vulnerabilities exist they are typically placed into one of two categories — bugs at the implementation level and ﬂaws at the design level.
Some of the more common design-level problems include error handling in object-oriented systems, object sharing and trust issues, unprotected data channels of both internal and external nature, incorrect or missing access control mechanisms, a lack of auditing/ and logging or incorrect logging, and ordering and timing errors. These kinds of ﬂaws almost always lead to a security risk.
Types of Security Testing:
- Vulnerability Scanning
- Security Scanning
- Penetration Testing
- Risk Assessment
- Security Auditing
- Posture Assessment
- Ethical Hacking
How to do Security Testing?
It is always viable to include security testing right at the initial phases of SDLC. Here we have a list of security analysis that can be performed at various stages.
It is the first and crucial phase of software development. Security analysis right at the requirements phase will keep a check on the misuse of test cases.
Testing at the designing phase involves designing and development of Test Plan.
Coding and Unit Testing
- White box testing to check the code for any security loopholes
Integration testing black box testing to check the security gaps in the integration of various components is essential.
- System Testing
Black box and vulnerable scanning to expose the various vulnerable areas which developer has ignored
This uses penetration testing and Vulnerable scanning to perform security analysis during and after the implementation.
This includes impact analysis of the various methods implemented to offer complete security.
Examples of Security Testing:
There are various techniques to perform security testing:
Cross-Site Scripting (XSS)
This method is used to check the web application for security vulnerability. It is done to ensure that the application doesn’t approve HTML and SCRIPT. This is checked to ensure that attackers don’t insert harmful scripts in the application to manipulate the URL.
This is performed to identify the potential loopholes in the application. This is done by intruding into the system to check its security system. A white-hat hacker tries to break the application to protect them from black hats.
This uses various commonly used passwords to gain access to the system. Password cracking also helps the user to keep a strong password which is hard to crack by hackers.
This is done by intruding the system, network or applications to find the security gaps that hackers can use for their benefit.
It is performed to find the vulnerabilities by creating communication with the application through web front-end.
This also performs risk analysis where each risk is evaluated and measured.
This helps in evaluating the security of the Database. It is done by entering a single quote (‘) in any textbox in the database. This should be rejected by the application but on the contrary, this is executed and displayed as a database error. Execution of such commands can make it vulnerable to attacks.
Before planning for Security Testing, you will need to think about the following parameters:
Authentication – Understand how the authentication process works and attempt to use that information to circumvent the authentication mechanism.
Authorization – Determine that a requester is allowed to receive a service or perform an operation.
Confidentiality – Protects the disclosure of data or information to parties other than the intended.
Integrity – Whether the intended receiver receives the information or data without it being in any way altered in transmission.
Non-repudiation – Interchange of authentication information with some form of provable time stamp e.g. with a session id.
It is only by identifying risks in the system and creating tests driven by those risks that your software security testing can be properly focused on areas of code in which an attack is more likely to succeed. Essentially, this approach provides a higher level of software security assurance than possible with classical black-box testing.
Of course there is no such thing as a silver bullet for software security and even a reasonably ironclad security testing regimen is just a start.
Regrettably, security continues to be sold as a product but many of the defensive mechanisms on the market do very little to address the core of the issue, which is bad software. Instead, these ‘solutions’ operate in a reactive mode: by not allowing allow packets to this or that port, watching for ﬁles which include this pattern in them, and discarding partial packets and oversized packets away without looking at them. Network trafﬁc is not always the best way to approach this issue, because the software that processes the packets is the problem.
By adopting a comprehensive and risk-based approach to software security testing, testing professionals can help in solving security problems while software is still in production avoiding costly and embarrassing mishaps later on in the software’s lifecycle.