Security Testing – How do you deal with it?

Vulnerability is Phishing

What is Security Testing?

Security testing is a type of software testing with which a web/mobile applications are verified to protect the data and maintain its intended functionality. It involves an active analysis of the application for any weakness, technical flaws, or vulnerabilities against phishing and malicious attacks.

Security testing practices such as risk assessments, vulnerability scanning, security assessment and penetration testing can be used to identify threats to data security and prevent these security breaches

Let’s take a look at the few key statistics to understand the importance of security testing.

Data Records are lost

Don’t be distracted by the adventure of the week. Invest your time and money now to defend against the threats your application is apt to confront.

Types of information Security Attacks

Hackers have number of varieties to attack vulnerable web/mobile applications, but here are the 4 most common things that they try to do first,

  1. Carry out SQL injection attacks – To gain access to the database, spoof a user’s identity, and destroy or alter data in the database.
  2. Use Cross-Site Scripting (XSS) attacks To have browsers execute their malicious payloads to deface your website to promote their brand or their hacktivist ideals.
  3. Distributed Denial of Service Attacks (DDoS) – To Make the site temporarily unavailable.
  4. Cross Site Request Forgery (CSRF) attacks – Hijack trusted user sessions to make unwanted purchases on behalf of other users.

Security hackers get motivated for?

  1. Destroying the database and causing great loss to the company
  2. Stealing user data on the fly using a man-in-the-middle attack
  3. Downloading sensitive user information and selling it on the black market
  4. Finally, proving that they are a great hacker to their community

2017’s biggest security hacks, leaks, and data breaches — So far…..

  • Freedom Hosting gets popped, pulling down one-fifth of the dark websites
  • Millions of Verizon customer records exposed in Security Lapse. Unprotected Amazon S3 storage server.
  • Data Leak – Bell Canada, Canada’s largest teleco, was hacked in May 2017. The company declined to pay the hacker to stop the release of the 1.9 million customer records were stolen.
  • Education platform Edmodo Breach exposes 77 million accounts for sale on the dark web
  • Mac video encoder HandBrake was infected with Remote Access Trojan Those infected were at risk from thieves stealing login credentials from OS X Keychain.
  • Strain of ransomware called WannaCry spread around the world, walloping hundreds of thousands of targets, including public utilities and large corporations.
  • Wikileaks CIA Vault 7 published a data trove containing 8,761 documents allegedly stolen from the CIA
  • Cloudbleed attach on the internet infrastructure company Cloudflare announced that a bug in its platform caused random leakage of potentially sensitive customer data

Types of Security Validation

  • Authentication: The source of the mobile/web application and its data should be genuine.
  • Authorization: Only specific users should get the access to authorized functions of the application.
  • Confidentiality: User data/information is secure from theft.
  • Integrity: The application and its data is not altered in course of time during any transaction or transmission.
  • Non-repudiation: Guarantee that sender and receiver of information cannot deny having sent or received the data.

Advantages for Security Testing

  • Security Testing helps to Reveal Vulnerabilities and finds existing weaknesses in the software system or application configurations and network infrastructure. This helps to avoid data loss.
  • Protect Data privacy and cyber defense capabilities. Many of the attacks should be automatically detected, alerts should be generated and dedicated people should act according to the company’s internal procedures.
  • Ensures business continuity with all the operation up and running all the time without any interruption eliminating financial loss
  • Reduction in TCO – a robust software with higher fidelity will help reduce the TCO of the product
  • Data breach, or any other form of loss of personal and confidential information, is a serious matter that could land a company in a lot of trouble. It could even require an organization to pay a huge sum of money as a settlement. An in-depth security testing procedure will help fore see these attacks well in advance and take preventive measure.

Security Testing Approach

A right security testing approach will eliminate web/mobile application vulnerabilities. When it comes to application security testing, the two most commonly used approaches are:

Static application security testing (SAST), a set of security testing framework is designed to analyze application source code, byte code, and binaries from the “inside out” in a non-running state.

Dynamic Application Security Testing (DAST), takes place while the application is running and penetration happens “from the outside in” to identify potential vulnerabilities, including those outside the code and in third-party interfaces

Issues / Challenges related to Security Testing of web applications

  1. One of the main challenges of security testing of web/mobile application is the development of automated tools for testing the security of web applications
  2. Surge in the usage of Rich Internet Applications (RIAs) also inflicts a bigger challenge for security testing of web application.
  3. RIAs being more users friendly and responsive due to the usage of AJAX technologies. Another challenge could be the usage of unintended invalid inputs, which may result in security attacks.
  4. Working with mutant may lead to faulty injections which could result in a security vulnerability as vulnerabilities do not take semantics into consideration. This may even pose a challenge to the security testing of any such web application.
  5. Insecure cryptographic storage may even pose a challenge to the web application security testing.
  6. Also the web development languages which we use may lack in enforcing the security policy which may even violate the integrity and confidentiality of the web application. This may even pose a security threat.
  7. The integrity of the data which could be another challenge for a security tester.

Security Testing Best Practices

A recent Magic Quadrant survey for Application Security Testing by Gartner states that Security Testing is growing faster than any other software testing market. Security and risk management leaders must integrate security testing into their application security programs to ensure that the application has intensified with the number of risks and attacks in the online world. This is the reason why security testing has taken a precedence and the idea of continuous testing, automated security testing and delivery is also being endorsed. As a result, DevSecOps has evolved to balance the Security Testing needs by incorporating the intrinsic strengths of DevOps within the Security Testing process. This methodology offers a security testing framework to add security checks within the development and deployment pipelines and makes everyone responsible for ensuring security.

iava

Indium’s security testing framework iAVA, helps organizations to identify potential vulnerabilities based on OWASP standards. Indium’s Anti-Vulnerability Assessment Framework (iAVA) tool helps in performing security test execution, manual test penetration, automated application scanning, code review and analysis, log defects, initiate remediation of defects and complete retesting. For the past 10 years, our framework has helped our client to secure their data from phishing attacks.

The concepts are still evolving, but the ground rules are the same, which remain very close to Test Automation and DevOps models. Incorporating the Security Testing aspect is important. Continuous Testing and Delivery forms the core of the DevSecOps model and makes the testing and development process more concerted.

Best practices for automating security testing are similar to the best ways for implementing any test automation projects. Just that Security testing have to be integrated flawlessly in the process.

Below are few simple steps to be followed to bring in Security Testing Best Practices in exercise

1. Identification of Critical Vulnerabilities

For identifying critical vulnerabilities, it is recommended to the break the application into parts or units and check them for vulnerabilities. This helps in identifying failure paths and loopholes in every facet of the application’s vulnerabilities. Many viruses and Trojan in cyber space tend to dig into the basic and most unnoticed security vulnerabilities. It might be poor authentication, futile passwords, or inadequate security policies. There are vulnerability scanners for identifying hidden network and vulnerabilities at the host. By breaking the application and running automated security tests for every function, the critical vulnerabilities can be successfully identified. This is the most fundamental piece, as this will enable the testing teams to take up further actions and deliver on a consistent basis.

2. Integration of Test Automation Best Practices

Testing Automation is an enabler for the entire security testing approach with DevOps. DevOps can be successful only if test automation is implemented successfully. The concept of Continuous Testing and Delivery works with the fundamental that test automation is effectively implemented throughout the process. The concept of DevSecOps boosts the idea of automating Security testing through the test cycle.

The best way is to combine the best practices of Test Automation and DevOps approach with Security Testing objectives. While the Continuous Testing practice is in wave, Test Automation helps to find the defects simultaneously and the software release is happening on a continuous base. Therefore, during the deployment stage, tests are in process to validate the security of the application.

3. Selection of Right Security Testing Tool

Correspondingly, with a potent combination of automation, security testing, and DevOps, there is a serious need to pick the right security testing tool for implementation.

Any Security Testing Tool can be selected, but it has to coordinate well with the objectives of the security testing and the project requirements. Preferably, it is suggested to choose a tool that the development, operations, and security teams are familiar with, and can integrate effectively into the test cycle for tangible results.

Top Security Testing Tools

Web security testing tools are useful in proactively detecting application vulnerabilities and safeguarding websites against attacks. There are lot of cost effective and open source security testing tools available in the market to carry out basic security testing procedure.

Here are some popular open source security testing tools popular among security testers
Some of the commercial security testing tools are

4. Automating Security Tests on a Regular Route

Automated security testing is similar to automation of functional or performance tests. While automating the security tests, it can be segmented into functional Security testing such as authentication and password generation, specific non-functional testing against the weaknesses, security scanning of the application and infrastructure, and application logic  for security testing.

The main idea to segment the objectives of security testing and automate the security tests should specify the success criteria. Getting the required results and resolving the vulnerabilities with required automation is very crucial. Hence, automated security testing on a regular intervals should be carried out as long as the business-critical objectives are met.

5. Testing Vulnerability Outbreaks

The objective of automating security tests is to get the application ready for any possible security outbreak or mass attack. While defining the objectives and strategy of security testing, it is important to use the right tools/framework for the security outburst. The current scenario is scary for any web/mobile application and the vulnerability can emerge from the application or from external one. Developing test automation frameworks for security testing to test any such vulnerability attack can be a good practice.

Security testing of web applications is a critical quality assurance step for every business to safeguard their applications and prevent huge business loss. By testing the application for potential security vulnerabilities and defects, potential external attacks may be pre-empted. But, to perform end to end security testing, a tester should understand the security terms and definitions.

A general software tester can perform security testing to only certain extent. But, a security testing expert with the thorough knowledge in OWASP, OSSTMM standards.

Prerequisites to set up a dedicated security testing team

To set up a dedicated security testing team, the testers should have

  • Understanding in the terms of the business application such as XSS, XSRF, SQL injection and path traversal is also critical.
  • Proficiency in Application Security Concepts, familiar with OWASP Top 10, SANS top 25 and other security best practices.
  • Knowledge in Security frameworks such as ISO 27001/27002, NIST, HIPPA, SOX
  • Basic understanding of the following protocols/technologies HTTP, SOAP/REST, SSL/TLS
  • Vulnerability analysis and reverse engineering
  • Metasploit framework, Forensics tools and Cryptography principle
  • We recommend below accreditations like CPT/CEPT, GPEN and – especially – OSCP.
    • CEH: Certified Ethical Hacker
    • CPT: Certified Penetration Tester
    • CEPT: Certified Expert Penetration Tester
    • GPEN: GIAC Certified Penetration Tester
    • OSCP: Offensive Security Certified Professional
    • CISSP: Certified Information Systems Security Professional
    • GCIH: GIAC Certified Incident Handler
    • GCFE: GIAC Certified Forensic Examiner
    • GCFA: GIAC Certified Forensic Analyst
    • CCFE: Certified Computer Forensics Examiner
    • CREA: Certified Reverse Engineering Analyst

Yet, it is impractical for all companies to have an in-house center of excellence for security testing. A realistic and cost-effective measure for businesses would be to take the help of an experienced outsourced security testing service provider.

Indium software is an independent software testing company with a multi-domain focus, fostered by IP-led innovation. We help our clients to manage their security risks at an attractive cost point with a combination of open source security testing tools, affordable commercial tools and our innovative security testing framework iAVA.

The key objectives of Indium’s Offshore Web Security Testing offerings include

  • Certification of releases/patches as per security standards
  • Create a unified process and model for web application security testing and risk modeling
  • Create and upgrade a repository of re-use-able test artifacts
  • Leverage the jump-start kits for rapid time-to-market

The key service offerings of Indium’s Offshore Web Security Testing include

  • Vulnerability scanning and auditing
  • Security Compliance Certification of releases/patches
  • A Security testing shop floor for providing an integrated approach for all applications security testing