rial Presented by: Jeff Payne C Brought to you by: 340 Corporate Way, Suite Orange Park, FL 32073 888‐2 MF AM Tuto 4/7/2014 8:30 AM “Security Testing for Testing Professionals” overos, Inc 300, 68‐8770 ∙ 904‐278‐0524 ∙ [email protected]∙ www.sqe.com
Today’s software applications are often security-critical, making security testing an essential part of a software quality program. Unfortunately, most testers have not been taught how to effectively test the security of the software applications they validate. Join Jeff Payne as he shares what you need to know to integrate effective security testing into your everyday software testing activities. Learn how software vulnerabilities are introduced into code and exploited by hackers. Discover how to define and validate security requirements. Explore effective test techniques for assuring that common security features are tested. Learn about the most common security vulnerabilities and how to identify key security risks within applications and use testing to mitigate them. Understand how to security test applications—both web- and GUI-based—during the software development process. Review examples of how common security testing tools work and assist the security testing process. Take home valuable tools and techniques for effectively testing the security of your applications going forward.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
rial
Presented by:
Jeff Payne C
Brought to you by:
340 Corporate Way, Suite Orange Park, FL 32073 888‐2
Jeff Payne is CEO and founder of Coveros, Inc., a software company that builds eros
y s
Jeff Payne Coveros, Inc.
secure software applications using agile methods. Since its inception in 2008, Covhas become a market leader in secure agile principles and has been recognized by Inc. magazine as one of the fastest growing private US companies. Prior to founding Coveros, Jeff was chairman of the board, CEO, and cofounder of Cigital, Inc., a market leader in software security consulting. Jeff has published more than thirtpapers on software development and testing, and testified before Congress on issueof national importance, including intellectual property rights, cyber terrorism, and software quality.
Information Security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.
The key concepts of Information Security include: – Confidentiality
Common Security Nomenclature – Risk: a possible future event which, if it occurs, will lead to an
undesirable outcome
– Threat: A potential cause of an undesirable outcome
– Asset: Data, application, network, physical location, etc. that a threat may wish to access, steal, destroy, or deny others access to
– Vulnerability: Any weakness, administrative process, or act of physical exposure that makes an information asset susceptible to exploit by a threat.
– An exploit is a piece of software, a chunk of data, or sequence of commands that takes advantage of a vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic.
– Attack: the approach taken by a threat to exploit a vulnerability Denial of service, spoofing, tampering, escalation of privilege
A risk assessment is commonly carried out by a team of people who have subject area knowledge of the business and product. Members of the team provide a qualitative analysis based on informed opinion of threats that will later be used in a more quantitative analysis.
The team should also define what is an acceptable amount of risk that the organization can assume. We assume we can’t identify all risks nor eliminate them; this is often referred to as residual risk.
Your company, SecureTelco, has developed an instant messaging program to be used for private use in customers homes and for companies and government agencies.
SecureChat requires users to sign up with an account prior to using the system. After authenticating with a username and password, each user can message other users and expect their conversations to be private.
Users have the ability to add/remove friends from their contact list, search for friends based on their email, block users from IMing them, become “invisible” to all users on demand.
Messages archives and activities logs document user behavior and can be retrieved by the user or a SecreTelco Administrator through the application or by the administrative console, respectively.
Provides a level of confidence that your system performs securely within specifications.
Security Testing is a preventative way to find small issues before they become big, expensive ones.
– The 2007 CSI Computer Crime and Security Survey performed an analysis of the average cost of a web security breach. The average loss reported in the survey was $350,424.
Security Testing ensures that people in your organization understand and obey security policies.
If involved right from the first phase of system development life cycle, security testing can help eliminate flaws in the design and implementation of the system.
Functional Requirements: These are statements of services the system should provide, how the system should react to particular inputs and how the system should behave in particular situations. In some cases, the functional requirements may also have explicitly state what the system should not do.
Where does the Security fit in?
Security features should already have functional requirements associated with them
Don’t assume they are good or adequately address what the software should not do
Misuse and abuse cases should be defined to understand risks that a threat may utilize to attack the system
– When a user attempts to authenticate with a valid username and an invalid password, the application shall not authenticate the user and return them to the authentication page.
– The system must alert the user that their attempt to authenticate has failed due to an incorrect password (“Invalid Password”) utilizing the standard error text formatting.
– When a user attempts to authenticate with a invalid username, the application shall not authenticate the user and return them to the authentication page.
– The system must alert the user that their attempt to authenticate has failed due to an incorrect username (“Invalid Username”) utilizing the standard error text formatting.
– What a user attempts to authenticate using a username and a valid password, the application shall authenticate the user and redirect them to the homepage.
Functional security tests based upon the functional security requirements should be planned, designed, and executed along with the rest of the functional testing
– Typically covered by a combination of unit, feature, and integration testing activities
– Don’t forget integration … COTS security features are often integrated incorrectly
Non-functional security tests should be planned, designed, and executed as followed:
– Unit level: secure code scanning to identify vulnerabilities
– Feature level: web application security testing plus any specific non-functional security requirements that can be performed at this level
– Integration/System levels: more of the above based upon threats & risks
– System level: end-to-end testing and penetration testing that must be done a production-like environment
Integrity Checks – Ensure that the data has not been tampered with and is the same as before.
– Integrity checks must be included wherever data passes from a trusted to a less trusted boundary, such as from the application to the user's browser in a hidden field, or to a third party payment gateway, such as a transaction ID used internally upon return.
– The type of integrity control (checksum, HMAC, encryption, digital signature) should be directly related to the risk of the data transiting the trust boundary.
Validation - Ensure that the data is strongly typed, correctly syntaxed, within length boundaries, contains only permitted characters or that numbers are correctly signed and within boundary ranges.
– Validation must be performed on every tier. For example, the presentation layer should validate web related issues, persistence layers should validate for persistence issues, etc.
– Reflected Cross Site Scripting (XSS) is another name for non-persistent XSS, where the attack doesn’t load with the vulnerable web application but is originated by the victim loading the offending URI using the victim’s credentials. Commonly, an attacker creates and tests an offending URI, in which the victim
loads the URI on their browser.
Attackers typically leverage these vulnerabilities to install key loggers, steal victim cookies, perform clipboard theft and change the content of the page
– Testing Process Detect Input Vectors
Analyze Each input vector to detect potential vulnerabilities. Input data is typically harmless, but triggers web browser responses.
Report on Findings
Analyze report and attempt to exploit with an attack that has a realistic impact on web application security.
– Stored XSS is the most dangerous type. Web applications that allow users to store data are potentially exposed to this type of attack. This occurs when a web application gathers malicious input and stores,
unfiltered, that input in a data store for later use. As a consequence the malicious data will appear to be part of the web site and run on the user’s browser.
The more privileges the end user has the more dangerous this attack is.
– Testing Process Identify input forms
Analyze HTML Code
Test for Stored XSS
Report on Findings
Analyze report and attempt to exploit with an attack that has a realistic impact on web application security.
What is SQL Injection? – An SQL injection attack consists of the insertion or “injection” of an
SQL query via input data from the client to the application. A successful exploit could read sensitive data, modify data, execute administrative operations, recover the content to a given file and, in some cases, issue commands to the operating system.
Types of SQL Injection – Inband – Data is extracted using the same channel that is used to
inject SQL code. In the simplest form, the retrieved data is presented directly to the application web page.
– Out-of-band – Data is retrieved using a different channel (e.g., an email with the results of the query is generated and sent to the tester).
– Inferential – Data is not transferred, but the tester is able to reconstruct the information by sending particular requests and observing the resulting behavior of the DB Server.