Even though software security is vital, security testing principles and practices take time for functional testers to master. The good news is that getting started doesn't have to cost a fortune as there are effective freeware tools out there. Scott Aziz offers practical techniques that will help you get started.
It seems like every week the press has yet another story about security breaches or stolen data at some of the world's largest companies or government agencies. Sometimes the responsibility for ensuring thorough security resides with an IT security group, and other times it gets outsourced altogether. The responsibility seldom falls to testing teams. However, this is changing. Having trained and experienced testers hunt for security bugs will make web applications safer from hackers and will further protect consumers, corporate assets, and brands.
Security testing techniques are not well known to many traditional functional testing teams because there are relatively few opportunities to learn them compared to learning functional testing. And, security testing is more difficult to perform than functional testing for reasons including vague security requirements for many applications; low-level, technically challenging testing approaches; and security testing tools that are difficult to set up and configure.
A major consideration for any security testing strategy is that every architectural layer of an application is vulnerable in different ways—some are more easily penetrated and exploited than others. These layers are known as the attack surface and will be different for different web applications because of the varying architecture, frameworks, and languages in use to develop them. Hackers trying to penetrate your web applications must know as much as possible about your application’s attack surface. The attackers' methods are numerous and constantly evolving, so testers need to think in similar ways when approaching security testing. Approaching testing in a progressive and creative manner is perhaps one of the greatest challenges for security testers. To keep up with the efforts of hackers, testers must utilize not only traditional and time-tested tools but also the newest tools available.
This can be a daunting task because of the nature, variety, and number of tools available for security testing. This article covers a few of the basic freeware tools available for web application security testing. These tools can stand alone or serve as a foundation for the adoption of more mature tools within your organization. Building upon this small set of tools over time will ensure the widest possible set of protective mechanisms for your security testing certification process—the rigor that must be executed and passed prior to release.
Just as with other types of testing, it is important to know that you cannot prove the nonexistence of security defects. Exhaustive security testing is impossible, due to the diverse nature of the attack surface and the number of possible variables that can be manipulated across that surface. However, there are categories of attacks that tend to be more popular due to their effectiveness. Two specific web application vulnerabilities that you should be aware of are SQL injection and cross-site scripting (XSS). An excellent primer to these vulnerabilities can be found at the Open Web Application Security Project (OWASP). The OWASP testing guide is one of the best resources available on web application security and vulnerability testing. It is several hundred pages long, so do not expect to master every testing mechanism right away.
Preparing for an effective security testing strategy includes getting familiar with a few core tools, such as the Firefox browser—yes, the same Firefox browser you use to verify the functional behavior of web applications. This browser is perhaps the best all-around beginner’s tool that can be used to test the security of a web application. This is largely due to an ecosystem of browser plug-ins specifically built for security testing tasks, including two free Firefox add-ons that every security tester hunting for web-based vulnerabilities must have: SQL Inject Me and XSS Me.
SQL Inject Me allows you to test for SQL injection vulnerabilities that hackers can use to hijack your data and modify the contents of a database. Some of these vulnerabilities will even allow an attacker to execute administrative operations on the database, which is disastrous. Typically, the web applications that are the most vulnerable to SQL Injection are those written in PHP or ASP, but this vulnerability affects other languages as well. The XSS Me tool will check for XSS vulnerabilities that can allow a hacker to gain elevated privileges within your web application or within other applications connected to your web application. These two tools alone will not allow you to test for every type of SQL injection and XSS vulnerability, but they will allow you to establish foundational testing practices for both categories of vulnerabilities. Once you have mastered the functionality of these tools, you can adopt tools that expand this functionality, such as Metasploit and Nexpose, both of which have freeware versions available.
Once you have prepared a tool to perform SQL injection testing, you need to determine how best to formulate attack strings that you can feed through the tool. Some tools already have a library of such strings that the tools automatically feed into your application under test. For the tools that do not, you must prepare your own SQL language attacks. This is not a trivial task, as there are many types of SQL injection attacks. The SQL injection attack is a form of a code injection attack, which means that rogue or malicious code is injected into the database layer through the client application. There are many resources on the web for advice on how to test for SQL injection vulnerabilities. (ITSecTeam.com has a very good paper on it).