Today’s software applications are often security-critical, making security testing an essential part of a software quality program. Unfortunately, most testers have not been taught how to effectively test the security of the software applications they validate. Join Jeff Payne as he shares what you need to know to integrate effective security testing into your everyday software testing activities. Learn how software vulnerabilities are introduced into code and exploited by hackers. Discover how to define and validate security requirements. Explore effective test techniques for assuring that common security features are tested. Learn about the most common security vulnerabilities and how to identify key security risks within applications and use testing to mitigate them. Understand how to security test applications—both web- and GUI-based—during the software development process. Review examples of how common security testing tools work and assist the security testing process. Take home valuable tools and techniques for effectively testing the security of your applications going forward.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
TL PM Tutorial
10/1/2013 1:00:00 PM
"Security Testing for Testing
Professionals"
Presented by:
Jeff Payne
Coveros, Inc.
Brought to you by:
340 Corporate Way, Suite 300, Orange Park, FL 32073
Jeffery Payne is CEO and founder of Coveros, Inc., a software company that helps organizations accelerate the delivery of secure, reliable software. Coveros uses agile development methods and a proven software assurance framework to build security and quality into software from the ground up. Prior to founding Coveros, Jeffery was Chairman of the Board, CEO, and co-founder of Cigital, Inc. Under his direction, Cigital became a leader in software security and software quality solutions, helping clients mitigate the risk of software failure. Jeffery is a recognized software expert and popular speaker at both business and technology conferences on a variety of software quality, security, and agile development topics. He has also testified before Congress on issues of national importance, including intellectual property rights, cyber-terrorism, Software research funding, and software quality.
Information Security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.
The key concepts of Information Security include: – Confidentiality – prevent the disclosure of information to
unauthorized individuals or systems
– Integrity – data cannot be modified undetectably
– Availability – data and systems are available in an uninterrupted manner
– Authenticity – ensure that data, transactions, communications or documents (electronic or physical) are genuine
– Non-Repudiation – ensure that someone cannot deny something
Common Security Nomenclature – Risk: a possible future event which, if it occurs, will lead to an
undesirable outcome
– Threat: A potential cause of an undesirable outcome
– Vulnerability: Any weakness, administrative process, or act of physical exposure that makes an information asset susceptible to exploit by a threat.
– An exploit is a piece of software, a chunk of data, or sequence of commands that takes advantage of a vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic.
– Attack: the approach taken by a threat to exploit a vulnerability Denial of service, spoofing, tampering, escalation of privilege
Security Testing is testing used to determine whether an information system protects its data from its threats.
Security Testing is not a silver bullet for your enterprise security. Security Testing doesn’t fix your security, it only makes you aware of it. Security must be built into your software
A sound Security Testing process performs testing activities:
– Before development begins
– During requirements definition and software design
Your company, SecureTelco, has developed an instant messaging program to be used for private use in customers homes and for companies and government agencies.
SecureChat requires users to sign up with an account prior to using the system. After authenticating with a username and password, each user can message other users and expect their conversations to be private.
Users have the ability to add/remove friends from their contact list, search for friends based on their email, block users from IMing them, become “invisible” to all users on demand.
Messages archives and activities logs document user behavior and can be retrieved by the user or a SecureTelco Administrator through the application or by the administrative console, respectively.
Understand the policies and standards that have been adopted by the organization and their relationship to software security
Examples: – Privacy policies regarding your customer data
– Service level agreements with clients
– IT security standards you must adhere to
– PCI compliance activities for credit card transactions
Your goal is to understand these policies and standards to the level that will allow you to validate security requirements and effectively test the end product against them
If the security of your software is an enterprise concern, the development team should be adhering to a defined secure software development lifecycle model.
– Defines development activities that builds security in
– Defines security testing activities performed by appropriate parties (development, testing, security org, operations, etc.)
Common secure software development models – Microsoft’s Secure Development Lifecycle (SDL)
– Coveros SecureAgile process
– There are others as well
Secure software standards – Secure coding standard
Testing activities during requirements definition and software design focus on assuring that security has been effectively integrated into software requirements and the overall architecture and design of the product
Functional Requirements: These are statements of services the system should provide, how the system should react to particular inputs and how the system should behave in particular situations.
What each feature within the software should do
Non-Functional Requirements: These statements describe additional requirements that are not associated with individual functional behaviors. These statements include information about: reliability, configurability, availability, performance, etc.
What quality goals must the entire software system achieve
Security Requirements describe functional and non-functional requirements that need to be satisfied in order to achieve the security attributes of an IT system or application.
What does that mean?
Functional Security Requirements
Additions to functional requirements that define what the software should not do.
Non-Functional Security Requirements
Additional non-functional requirements that define what overall security the system must provide
SecureChat login screen shall accept a valid username/password pair and allow system access
Functional requirement that includes security:
SecureChat login screen shall accept valid username/password pairs and allow system access.
• Entering either an invalid username or invalid password will result in the display of the message “Invalid username or password” on a redisplay of the login screen after both a username and password are entered
• Three successive invalid login attempts from a particular machine will lock the user’s account and display the message “User Account Locked, Call System Administrator” on a redisplay of the login screen. Subsequent valid login/password pairs will not allow system access until the account is unlocked by the system administrator
Architectural and design reviews focus on determining whether the stated architecture / design enforces the appropriate level of security as defined in the requirements.
Typically performed by security architects and/or other software leads within the organization.
Examines these artifacts for flaws such as: – Violation of trust boundaries
– Distributed control of authorization
– Custom algorithms for cryptography / random number generation
Information on design flaws/vulnerabilities and known threats from our threat model are often combined together to estimate the likelihood and consequence of a flaw/defect resulting in significant business impact
Risk Assessments
Security testing during definition and design
Not a PriorityNot a PriorityNot a PriorityMinor or cosmetic
Not a PriorityPriorityHigh priorityBusiness concern
PriorityPriorityHigh priorityBusiness-critical
UnlikelyLikelyHighly Likely
Not a PriorityNot a PriorityNot a PriorityMinor or cosmetic
Not a PriorityPriorityHigh priorityBusiness concern
– When a user attempts to authenticate with a valid username and an invalid password, the application shall not authenticate the user and return them to the authentication page.
– The system must alert the user that their attempt to authenticate has failed due to an incorrect password (“Invalid Password”) utilizing the standard error text formatting.
– When a user attempts to authenticate with a invalid username, the application shall not authenticate the user and return them to the authentication page.
– The system must alert the user that their attempt to authenticate has failed due to an incorrect username (“Invalid Username”) utilizing the standard error text formatting.
– What a user attempts to authenticate using a username and a valid password, the application shall authenticate the user and redirect them to the homepage.
Know your Security Requirements – Requirements analysis
It is important that each tester understand the security requirements for your application and what they imply.
Often Security requirements may come in conflict with another type of requirement. If there are conflicts, it is important that you identify those concerns and the requirements are clarified by a Business Analyst.
In most organizations, security requirements are not well defined if it all.
A general rule of thumb: Make sure your core information security concepts are all covered. If not, request that they are.
Understand which security requirements are functional and which are non-functional, this will have an impact how you plan to test them.
Feature testing covers positive security requirements. This typically ensures the software behaves according to customer expectations.
Example – If security requirements state that the length of any user input must be validated, then a feature test suite should be created to exercise the application inputs and verify that this requirement is implemented correctly.
Testers should also cover negative security testing or Risk-Driven testing. Each test is intended to probe for a specific risk or vulnerability. These risk may have been identified during your risk assessment.
Example – Cross Site Scripting and SQL Injection; These vulnerabilities are not obviously features of the application, therefore the fall under the negative security requirements umbrella.
Security testing tools provide out of the box testing for common web security issues
The testing of components and individual features will identify code that improperly implements functionality against its requirements.
While some feature testing has historically been done at the system level, more and more of this type of testing today is done on individual units / stories by either a developer or code savvy test engineer.
Review of tests performed at this level should look for common gaps that lead to security issues:
When we refer to authentication in computer security, we refer to the process of attempting to verify the digital identity of the sender of a communication.
– A common example of such a process is the login process.
– Authentication always depends upon using one or more authentication category: something I know, I have, I am
Two-factor authentication: factors from two categories – Multi-factor authentication: more than one authentication factor but
can be from the same category
Testing authentication schemas means understanding how the process works and using that information to circumvent the authentication mechanism.
Testing for bypassing authentication schema – The tester must validate that other application resources are
adequately protected, and can’t be used to bypass authentication using those other resources.
Testing for vulnerable remember password and password reset features
– The tester must analyze how the application manages the process of “password resets”. The tester must check whether the application allows the user to store passwords in the browser.
Testing for logout and browser cache management – The tester must check that the logout and caching functions are
Testing for CAPTCHA – Used by many applications to ensure the response is not generated
by a computer, CAPTCHA (“Completely Automated Public Trust test to tell Computers and Humans Apart”) implementations are often vulnerable to various kinds of attacks.
Testing multiple factor authentication – The tester must test the following scenarios:
One Time Password Generator Tokens
Crypto devices like USB tokens or smart cards
X.509 Certificates
Random OTP sent via SMS
Testing for race conditions – The tester must ensure that an unexpected result on a multithread
application doesn’t create an authentication flaw. By their nature, Race Conditions are difficult to test for
Risk-based Testing focuses on testing that the risks identified during threat modeling, design reviews, code reviews were properly mitigated in the code
Define negative tests that validate these issues have been mitigated.
Perform these tests at whatever level is appropriate to identify any remaining vulnerabilities.
Typically performed at the integration / system level
Testing during the deployment process focuses on those tests that cannot be adequately completed within a development/QA environment plus any third party IV&V
– Red Team Penetration Testing
– Load and performance testing (for availability)
– Configuration testing
Red Team Penetration Testing is typically done by a team of security experts and includes both network and application testing
Testing during maintenance and support focuses on: – Assuring that any identified vulnerabilities within the application,
supporting software, or network configuration are patched and revalidated
Based upon the identified vulnerability and patch, a wide variety of testing activities may be performed again to assure the patch operations properly and also does not break something else!