Security Testing: An insight

secutiy testing
You will never want to implement software that bugs up every fortnight and annoys your customer. Security testing is so, an inevitable step prior to software deployment in client’s place. In this article, we shall bring an insight to the security testing and state why it is so important web applications.

What is security testing?

Security testing forms an integral part of software testing that is done to identify weaknesses and vulnerabilities of a software application. The main objective is to identify the vulnerabilities of software and determine if the data and other resources are protected from foreign intruders. It is a way to verify whether or not a confidential data stays confidential or not.
Due to the notable explosion of the ecommerce websites in the world today, security testing has become all the more important. The testing is done once the application is developed and installed. To identify all the potent vulnerabilities, a network security testing is suggested.
Seven attributes the security testing needs to follow are:
• Authorization
• Authentication
• Confidentiality
• Integrity
• Availability
• Resilience
• Non-repudiation

The Security Testing “Terminology”

Penetration testing:

It is a type of testing that is done by evaluating the system and/or network using various malicious techniques. The purpose of this testing is to protect important data from users who do not have access to the system, like hackers. It is carried out after cautious notifications, considerations and planning.

Penetration testing is categorized into two types – Black Box Testing and White Box Testing. In White Box Testing, the tester has access to all vital information like Code, IP Address, Infrastructure Diagram, etc. In Black Box Testing, the tester doesn’t have any access to any sort of vital information. Black box testing tends to be the most accurate testing as the tester doesn’t have any access to any information, thereby, simulating the testing as a hacker.

Password cracking:

In Password crack testing, the system is tested to identify the weak passwords. Password Cracking tools are used for testing of this attribute. The end result is to ensure that users are adequately using strong password.

Vulnerability:

This is to identify the weakest attributes in the system which might lend easy paths for the malicious software to be attached by unauthorized users. Vulnerability can occur due to bug in software, inaccurate software testing or presence of malicious code. This phase requires fixes, patches to prevent the compromised integrity by malware or hackers.

URL Manipulation:

One of the popular ways to hack a website is URL manipulation where in hackers manipulate website URL query strings and get access to confidential information.

This usually takes place when the application makes use of HTTP GET to pass information between client & server. Information is passed via query string. The tester alters the query parameters to check if is accepted by the server.

An URL Manipulation testing ensures that database records are not accessed neither other vital information of the website by unauthorized users.

SQL Injection:

One of the other common ways picked by hackers to steal the vital information from the web, the SQL Injection testing ensures all the databases are safe and protected. It is a type of testing that takes the advantages of the loopholes that make the hackers easily pass into the system by passing all possible SQL queries to hack it.

They try to query the database using the SQL Injection statements to pull information and crash the system. Even the errors displayed while crashing the system will provide generous amount of important data to the hackers.

So, SQL Injection testing is purposed to take care of the input fields like comments, text boxes etc. Special characters are either handled or skipped from the input.

Cross Side Scripting (CSS):

It is a common application layer hacking technique. It is a vulnerability aroused in a web application by injecting HTML and Javascript code into the website pages. The attacks are generally done to inject malicious code web browsers. The code is then used to steal information present inside the cookies.

Security Testing Approach

• Following are the approaches taken for preparing and planning for security testing:
• Security Architecture Study: The first step is to comprehend the client’s requirements and security goals and objectives in compliance to the security need of the organization.
• Security Architecture Analysis: Comprehend the need of application under test.
• Classify security testing: Collect system set up information like operating system, technology and hardware to identify the list of vulnerabilities.
• Threat profile: Based on the information collected above, a threat profile is created.
• Test Planning: Based on identified threat, security risks and vulnerabilities, a test plan is drafted to address the issues.
• Traceability matrix preparation: A traceability matrix is prepared based on the identified threats and vulnerabilities.
• Security Testing Tool Identification: Identify the most suitable tool to test security test cases faster.
• Test Case Preparation: Prepare a test case document.
• Test Case Execution: Test case execution is done and the defect cases are fixed. Test case regressions are executed.
• Reports: Document a detailed report of Security Testing from step 1 to the final including the still open issues.

At Idexcel, we perform security testing for all our clients to ensure they enjoy a bug free application execution across various domains. Our standards, methodologies and experience help us deliver the best business value to customers.

We have a robust automation framework using SOAP UI open source tool.
Key Features of framework

• Data Driven Framework to test with multiple inputs.
• Supports Security and functional testing of Web Services.
• Affordable framework since we are using open source SOAP UI tool.
• Simple and ready to use framework
• Suitable for both SOAP and REST web services

Would you like to experience an error free execution of your application? Call us today!

MOBILE APPLICATIONS SECURITY TESTING- TEST FOR THE WORST

We all love apps, especially, the fancy, colourful apps, that promise all-your-problems-end here kind of euphoria. You wish! Really, as if the world could be so simple. However, some apps undoubtedly make our lives much simpler (Ahem, no pun intended).

So what types of applications are we talking about here? Well, that’s not the point. What I would like to elaborate here are the risks that come as a package with our life saving (sometimes literally) mobile apps, which threaten our identity, productivity and other areas critical for our day to day communication.

Why? What’s wrong with those lovely looking apps?

In simple terms, A LOT. In more complex terms, if your device or credentials have been compromised, you got a lot to lose. Now, picture this on a bigger scale, at the business or corporate level. The extent of loss is unfathomable if even a single employee downloads the app that gives the access of internal resources to malicious users who can then access the individual systems and get hold of confidential information. Phishers and hackers are constantly inventing newer ways to compromise such vulnerabilities related to web security. Users want more and more apps, and companies try to develop and deploy these apps quickly, which puts security in the back seat.

Top Mobile apps vulnerabilities and Dealing with them

As per the tests run by HP Fortify, 86% of apps that accessed potentially private data sources such as Bluetooth connections or address books, lacked security measures to protect the data from access. 86% of the apps lacked binary hardening protection, 75% apps did not encrypt data before storing it on the device and 18% of apps transmitted data over the network without using SSL encryption. Another 18% used SSL, but did so incorrectly.

The report compiled by WhiteHat shows that whilst many different attack methods exist, XSS (Cross Site Scripting) is the most popular, followed by Content Spoofing. To add to this, many other attack methods, such as SQL Injections, Information Leakage, and Stolen Credentials could all be the side-effects of an XSS attack.

Reference: WhiteHat-Security Statistics report 2012 (https://www.whitehatsec.com/resource/stats.html)

The 2013 Threat Report from the Websense ® Security Labs (WSL) also revealed how often malicious apps abuse permissions, especially in the use of SMS communications, something very few legitimate apps do. Risks increased as the mobile devices are used for web surfing and social media more often than actually making the calls.

So let’s dig a little deeper, and understand these vulnerabilities, and best practices to deal with them.

1. Excessive Permissions and Privileges– This is one of the most serious and common vulnerability that creates a great deal of privacy concerns in the mobile devices. Applications that have more access are easy target for attackers due to broad attack surface. Applications that reside on the mobile device have excessive access privileges and permissions such as access to contact list, receiving and sending messages, update rights, location and access to other devices such as microphone, camera etc.

Best Practice– App Developers should restrict granting privileges and permissions to the applications. Users should periodically check the device setting and apps for any excess permission, and if they feel that any application has excessive access, and should invoke the access rights.

2. Malware– Just like web apps, mobile applications also use web services and HTTP requests to communicate between server and client. Common vulnerabilities such as SQL injection, cross-site scripting, XML bomb, buffer overflow etc. get discovered during dynamic analysis. This enables attacker to propagate malware and gain access to devices information without having the privileges.

Best Practices– Applications should validate all form inputs and convert scripts and script tags to a non-executable form. Ensure that the executables on your server do not return scripts in executable form. You can convert HTML and JavaScript tags into alternate HTML encoding.

3. Ineffective Session Termination– When the user clicks logout button, the session gets terminated only locally on the client side, without terminating the session at the server end. This coding flaw makes the server susceptible to unauthorized access where attacker can access victim’s session and this can lead to identity threat.

Best Practice– After logout, always invalidate the session at the server and client side. If session has not been active for more than 15-20 minutes, terminate the session. Long sessions must be re-authenticated.

4. Buffer Overflow– Attacker uses buffer overflows to corrupt the execution stack of the application. Attacker sends the carefully crafted input to the application, and causes it to execute arbitrary code which can take over the device. The attack relies on writing data to particular memory address, or have the OS mishandle data types.

Best Practice– Buffer overflow protection techniques can be used during software development to enhance the security of executable programs by detecting buffer overflows on stack-allocated variables as soon after they occur, and prevent them from becoming serious security vulnerabilities. You can also scan your application with scanner that looks for buffer overflow flaws.

5. SQL Injection– It is used by hackers to steal data from the applications where user input is not validated. As a result, the user can inject SQL statements into the database and have them executed.

Best Practice– The only way to check if your application is vulnerable to SQL injection is by scanning it with the automated web application security scanner.

6. Bad Data Storage Practice– Insecure or bad data storage occurs when developers assume that users will not have access to the device file system, and hence they store sensitive information in data-stores in the devices. If data is not protected property, jailbreaking or rooting the device circumvents any encryption protections, leading to loss of data including username, password, cookies, location data, personal information and application data. SQLite databases, Plist files, Log files, Binary data stores, XML data stores, SD card, cookie stores and cloud synced are the places where data is stored most insecurely.

Best Practice– Do not store data unless absolutely necessary. Scrutinize the data security API’s of the platform, and ensure that they are being called appropriately. Do not store credentials on the device file system.

7. Cross Site Scripting– This attack requires the user to execute a malicious URL which could have been crafted in a manner that appears to be legitimate. Attacker then effectively executes something malicious in the user’s browser.

Best Practice– Use web vulnerability scanner that checks for the XXS vulnerabilities. It will show which scripts/URLs are vulnerable to these attacks.

Some of the other common vulnerabilities include weak server side controls, poor authentication and authorization, weak or broken encryption, insufficient transport layer protection and broken cryptography. The solution to deal with these threats lies in employing a vulnerability analysis solution that can automate security quality testing.

Testing Techniques to Deal with these Vulnerabilities

The mobile applications need to be exhaustively tested for vulnerabilities that put data and device at risk. Threat-profile based test cases are used, and threat profiles are derived from different types of mobile applications. Once the vulnerabilities are identified, these need to be patched, and retested. Some of the most common testing techniques include:
Black box/Dynamic Testing– Also known as behavioral testing. It analyzes code as it runs to identify vulnerabilities that any hacker can find when the application is running in the production. This testing identifies if any weakness can be exploited, or identifies the type of weakness so that human penetration tester can verify this exploitability manually.

Code Review– It identifies the vulnerabilities at the source-code level. It can detect injection flaws, backdoors or suspicious code, hardcoded passwords and secret keys, weak algorithm usage and hardcoded keys and data storage definitions.

Penetration Testing– For any mobile application, one of the most critical tests can be penetration test. It is an ethical attack simulation intended to expose security controls of the application by highlighting risks posed by exploitable vulnerabilities. The vulnerabilities identified by penetration testing include input validation, buffer overflow, cross site scripting, SQL injection, URL manipulation, hidden variable manipulation, authentication bypass, cookie modification, code execution, and few other common software attacks.

Mobile Application Security Assessment– It is a holistic security assessment of mobile applications, the associated backend systems and data flows and interactions between them.

Failures occur, for different reasons such as poor design, faulty code, inefficient security measures or a combination of the above. However, the fact remains that it is important to identify these security risks and minimize security breaches. To protect your users from the attacks, you need to stay updated with the latest threats, and ways to deal with them. Hence, it is essential to stay in touch with the latest vulnerabilities, patches and hacks to ensure that the mobile applications are safe. When it comes to application testing, there is no silver bullet, and no single approach does it all. You need multiple approaches looking from different angles to have the confidence that your application is secure.

Hope for the Best, but Test for the Worst.