An increasing number of security breaches and a growing awareness among business owners about invalid applications have moved security testing into the software tester's world. This article discusses how clients across the globe are including application security testing in their software testing.
Security testing was once considered as a technical assignment, which is performed by network administrators or system developers. In those days, application security was not given much importance during the test phase of software development life cycle. An increasing number of security incidents and a growing awareness among business owners about invalidated applications due to security issues have moved security testing into the software tester’s world. Gartner’s reports say that 3 out of 4 Web sites are vulnerable to an attack and 75% of the hacks occur at the application level. More and more clients across the globe have started including application security testing as a part of software testing.
The corner stone of security rests on confidentiality, integrity, and availability. For critical applications, there is a need to provide different levels of access to different users. Security of transactions ensures customer confidence, which is a key factor for successful implementation of applications. As per the section 404 of SOX, organizations have to maintain internal control over financial reporting, which involves testing the integrity of the applications.
Identifying the scope of security testing:
The main objectives of security testing are:
- Verify and validate that applications meet the security requirements
- Identify security vulnerabilities of applications in the given environment
Performing a thorough security assessment of a Web application is a complex task, which should be approached like any other software analysis task–with a methodology, testing procedures, set of helpful tools, skills, and knowledge. Manual penetration testing as well as automated tools can be used to uncover critical security vulnerabilities in Web applications. The technology used for development and the vulnerability of the applications determines the correct ratio of automated scanning and manual penetration testing for providing the best possible Web application security coverage.
Security testing starts with vulnerability assessment. Vulnerability scanning scans a network for security holes in the network segments for IP-enabled devices and enumerates systems, operating systems, and applications. Apart from identifying the operating system version, IP protocols, and TCP/UDP ports that are listening, vulnerability scanning also identifies the common security threats, such as weak passwords, files with liberal permissions, security configuration problems and so on.
Security testing strategy for an application or product should be developed for each phase such as development, implementation, deployment, and operation and maintenance. Security testing should preferably be performed by an independent testing team. The test target should be identified using threat model and all interfaces like User Interface (UI), Sockets, file input, API, Mail configuration, and devices should be included under scope. The performance bottlenecks such as network bandwidth, memory, disk space, files, and sockets should be subject to security testing.
Test case generation and execution
The security of an application is tested by attempting to violate the built-in security controls. This technique ensures that the protection mechanisms in the system secure the application from improper and unauthorized access. The tester overloads the system by continuous requests, thereby denying service to others. The tester may deliberately cause system errors to violate the security during recovery or may browse through insecure data to find the key to system entry. The following areas need to be tested for security:
- User authentication
- Password management
- Access controls
- Input validation
- Exception handling
- Secure data storage and transmission
- Monitoring and alerting
- Change management
- Application development
- Periodic security assessments and audits
Buffer overflow, SQL Injection, Cross-site scripting, parameter tampering, cookie poisoning, hidden fields, debug options, un-validated input, broken authorization, broken authentication, and session management are some of the areas around which the test cases should be generated for security testing. Ideally, security testing should be performed at the end of functional integration testing and performance testing. This helps detect hidden security threats in the application.
After completing security testing, the finding should be summarized in a report. The summary report should contain details such as the types of testing conducted and the security risks identified with rating, which helps the business take a decision on deployment of the application.
Ref: Guidelines of Security testing by NIST special publication 800-42.