“Quality is never an accident; it is always the result of intelligent effort." - John Ruskin
In this Information Age, our lives are supposedly made simpler by having all our information just a click away. But really, how certain are we that this information is secure? This is where security testing comes in. Every service provider should use this form of testing to ensure the applications are well protected against security breaches of any form.
Security testing is one of the most neglected methods of testing. Yet in today’s era, when hacking is a hobby for some and an alternative career for others, security is one of the most vital forms of testing, and maybe the most complex and costliest.
Today, companies all over the world encounter threats of their systems and data being compromised, and it is the tester’s responsibility to ensure that all potential security flaws are exposed. After all, the worst security attacks may not happen due to a major software flaw, but perhaps because of a loophole that the developers/testers failed to identify as a weak point. Such attacks make the users lose confidence and may result in an industry crisis if not handled properly.
It may not be practical to carry out extensive security testing, but what can be done is to follow a systematic method of testing where we simulate possible attacks and then test from those starting points. Security could be better managed if the test approach is taken up using a risk-based analysis. The tester can analyze all the various possible risks and work along these lines to focus on the major areas where a security attack could be successful.
Many organizations realize that their customer base can survive only on the foundation of trust. This trust not only has to be gained but has to be renewed continually, and this can be done only if we can assure that the application has been secured. During the recession, many people simply heard rumors of banks going and their immediate action was to change to another bank. Just imagine if there was a security breach in the company software, it wouldn’t take long before the customers jump ship.
What is Security Testing, and What are We Protecting Against?
In November 2008, officials in Jefferson County, Denver released an online search tool which exposed Social Security numbers and other personal information belonging to approximately 1.6 million citizens. Shocking? Yes. Could such an incident been avoided? Yes.
Security testing in software applications is often spoken of these days, because security has become one of the most important and yet one of the most uncertain factors in information technology. A simple definition for security testing is the process to determine that an information system protects data and maintains functionality as intended. This definition lets us understand that security does not mean only data but also functionality, i.e., certain application owners may be concerned more with protection of the software from being copied illegally while others are more to deal with the application being misused.
Physical security is something that generally can be done effectively (at least it’s easier to keep aneye on), but software security is risky because the security attack may be noticed only after the hackers/unwanted parties break in, at which time it may be too late.
The only way you can test for any vulnerability is to analyze how the hacker would try break into the system. How To Break Software Security by James Whittaker and Herbert Thompson is a great book because it goes into detail on the various methods that can be exploited by a potential hacker. It was shocking to realize that what falls prey to attack could be something we had written off, thinking it to be too minor to spend effort on.
The two common points of Web security attacks mentioned are cross-site scripting and SQL injections.
Cross-site scripting (XSS) is a form of attack where a Web site is made to reproduce certain executable code. This code would be loaded in the browser, and once executed the code could now run in the security zone of the hosting Web site. This code would allow the attacker to access and modify or pass on any and all sensitive data that can be accessed by the browser. Hence, the first user could have his account taken over and the browser is now taken to another location perhaps even to fraudulent content delivered by the Web site they are visiting. The XSS attack can be taken to another level where the user’s account can be used as a front end to all the attacks. This inevitably would let another victim or authority trace the attacks back to the innocent user whose only mistake may have been to access the site.
SQL injection is an attack technique where SQL commands can be entered as user input. This happens if the developer has not kept proper filters to ensure proper input. Many applications exist where data has to be accessed from a database, i.e., based on the inputs given by the users. If the input filters are not set effectively, the attacker can try to change the query any number of times till he can finally get access to the database and modify or delete sensitive data.
Why is Security Testing Necessary?
The 2008 CSI Computer Crime and Security Survey stated that the most expensive computer security incidents were those involving financial fraud – no surprises there. The second-most expensive, on average, was dealing with “bot” computers within the organization’s network. Virus incidents occurred most frequently, at almost half (49 percent) of the respondents’ organizations. Nearly one in 10 organizations reported they’d had a domain name system incident up 2 percent from last year. Twenty-seven percent of those responding to a question regarding targeted attacks said they had detected at least one such attack, where “targeted attack” was defined as a malware attack aimed exclusively at the respondent’s organization or at organizations within a small subset of the general business population.
This information helps us realize that security testing is not optional but essential. Alternatively, because these incidents happened, we cannot conclude that the mentioned application/software did not undergo the testing cycles. Often in a team of testers there are some who may carry out testing simply to check whether the application works just as it should per requirements. What can make the difference is if we also check how the application behaves when we do something different than expected. A very simple example is if we are testing a Web application that works from a browser using some sort of login functionality, consider the following steps:
- Open the Web application and when the login page appears, enter the login credentials. The application would be displayed.
- Now sign off from the application, usually a sign-out or logout link that takes us to a confirmation page.
- Now click on the back button from the browser and check if the page shows the logged in app
lication instead of asking the user to sign in again.
Such a step is very easy to overlook because we may assume it to be included as basic functionality.
In a typical test engineer’s frame of mind, I believe that an application can “do or die” based on a tester’s creativity, i.e., even the best teams could deliver applications with a bug or two, but it is a tester’s job to see that it does not go to the production stage. A software tester who thinks out of the box can do wonders when testing because he or she can find even the most elusive bugs. The tester needs to think like a potential hacker to find the different ways the application could be attacked.
Security testing should not be restricted to simply software flaws because another loophole exists – perhaps the most unpredictable of all: people. Security testing should also involve making sure that the resources in the organization are aware of the applicable security policies and adhere to them. Also, application access should be set to a need-to-have basis only.
The figure below depicts the scope of security testing: (Courtesy: Testing Web Security: Assessing the Security of Web Sites and Applications – Steven Splaine)
Here are a few of the focus areas to be considered in security testing of Web sites/application:
- Network security deals with the basic provisions made by the network admin in the computer network infrastructure. This includes policies adopted to protect the network and the network-accessible resources from unauthorized access as well as consistent and continuous monitoring and measurement of its effectiveness combined together.
- System software security deals with the various software that the application would depend on. This would include the operating systems, database systems and various other tools used in the application. This can be done by evaluating each back end used to avoid any loopholes rising from this later.
- Client-side application security involves ensuring no infiltration is possible from the client side. This can mean trying to keep every inch of code maintained such that it cannot be tampered with to find some loophole to gain access to the security controls. There should be no shortcut given by the browser or any tool or even the simply Web page source that could allow the user to over-step the authentication process. In fact, a hacker could simply find a way to execute some script on the client side and be able to have his way, so even this has to be considered.
- Server-Side application security may not go as expected, even if the client side is being protected. In this case, we work to ensure the server side is also included in the security aspect. This can mean not only the server side code but also other technologies implemented on the server side, which if manipulated, could compromise the business logic, data and users as well in a severe way.
How to Implement Security Testing
If the tester does not find the fault, others may beat him to it. The worst way any tester would want to discover a bug in the system is by finding out about a security attack or breach. Therefore, security testing should take into consideration all the possible risks to security.
In this section, I have tried to cover the steps to consider when carrying out a security test. It should be an open-minded approach where we are not afraid to think differently, even to imagine how some unwanted party could access the application. Once the tester has overcome what I call “tester’s block” of simply testing the requirements, he or she is ready to establish a secure testing process.
The best way to approach this is to analyze and list all the possible scenarios of the system being infiltrated. Taking into account all the points, including physical security and network security, the tester now is left with a rather nerve-racking list because he orshe would probably have thought of a few risks here and there but never considered it all together at once.
The next step would be to decide upon the scope of testing that can be carried out. A thorough study of the requirements should be done so the tester knows exactly what can be possible focus points. This is important because they have to be sure of the most probable weak points to ensure there are no loopholes. A chain is as strong as it’s weakest link. But do not ignore the unlikely bugs, because if you’re thinking, “No one would bother with that flaw,” chances are the other parties would think the exact same thing.
Once the tester has decided on all the test cases, they have to decide the actual testing processes to be implemented. The test should be designed keeping in mind all the risk factors and the input/outputs expected.
Next is the stage of testing cycles. This includes final testing and implementation to help the tester to get the application verified.
Once all the tests have been executed and the results are available comes the final part of a test cycle – the test report. The tester should realize that these tests may not be conclusive since there could be many factors that can trigger false alarms. These will have to be improvised and recorded to present to the developers, application owners, etc. to ensure all the points are being covered.
Once we are sure of all security-related scenarios being tested, the application can be fixed and subsequent rounds of testing repeated until we ensure that the application is as secure as it should be.
I have tried to cover a simple approach that can be used by any tester so he/she can identify the different forms of security to consider when testing a secure Web site or application. When the tests are customized accordingly, we ensure enhanced security test coverage and can convince the customer/client of a safer user experience. Simply, for every vendor that provides software solutions, we can make strides forward by dedicating more time and resources to security testing.
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access