Security Testing Techniques

    Why Security Testing

• For Finding Loopholes
• For Zeroing IN on Vulnerabilities
• For identifying Design Insecurities
• For identifying Implementation Insecurities
• For identifying Dependency Insecurities and Failures
• For Information Security
• For Process Security
• For Internet Technology Security
• For Communication Security
• For Improving  the System
• For confirming Security Policies
• For Organization wide Software Security
• For Physical Security

    What is Security Testing

1. It is a type of non-functional testing.
2. Security testing is done to check security, information leakage, authorization issuse, Data and maintains functionalities.
3. The six basic security concepts that need to be covered by security testing are: confidentiality, integrity, authentication, availability, Data Security and non-repudiation.

   Security Testing Techniques

1. Access to Application  - Roles and Rights Management. 

2. Data Protection - a user can view or utilize only the data which he is supposed to use

3. Brute-Force Attack-software attempts to guess the associated password by trying to login again and again. 

4. SQL Injection and XSS - malicious script is used by the hackers in order to manipulate a website.

5. Service Access Points - Sealed and Secure Open

     Example:In a Hospital Management System a receptionist is least concerned about
    the laboratory tests as his job is to just register the patients and schedule their
    appointments with doctors. So, all the menus, forms and screen related to lab tests
    will not be available to the Role of ‘Receptionist’. Hence, the proper
    implementation of roles and rights will guarantee the security of access.

    Access to Application

    How to Test

1. Tester should create several user accounts with different as well  multiple roles
2. Then he should use the application with the help of these accounts and should verify that every role has access to its own modules, screens,forms and menus only
3. If tester finds any conflict, he should log a security issue with complete confidence. 

      Data Protection 

       How to Test Data Protection

1. The tester should query the database for ‘passwords’ of user account, billing information of clients, other business critical and sensitive data and should verify that all such data is saved in encrypted form in the DB
2. Tester must verify that forms or screens, data is transmitted after proper encryption.
3. Moreover, tester should ensure that the encrypted data is properly decrypted at the destination
4. Special attention should be paid on different ‘submit’ actions.
5. The tester must verify that when the information is being transmitted between client and server, it is not displayed in the address bar of web browser in understandable format
6. If any of these verification's fail, the application definitely has security flaw.

     Brute-Force Attack:

       How to test Brute-Force Attack

1. Tester must attempt to login with invalid user IDs and Passwords alternatively to make sure that software application blocks the accounts that continuously attempt login with invalid information.
2. If the application is doing so, it is secure against brute-force attack. Otherwise, this security vulnerability must be reported by the tester.
3. SQL Injection and XSS (cross site scripting)
4. How to test SQL Injection and XSS
5. Tester must ensure that maximum lengths of all input fields are defined and implemented.
6. Tester should also ensure that defined length of input fields does not accommodate any script input as well as tag input. Both these can be easily tested

      e.g. if 20 is the maximum length specified for ‘Name’ field; and input   string “thequickbrownfoxjumpsoverthelazydog” can verify both these constraints. It should also be verified by the tester that application does not support anonymous access methods. In case any of these vulnerabilities exists, the application is in danger.     

    Service Access Points

      How to test SQL Injection and XSS

1. Tester must ensure that maximum lengths of all input fields are defined and implemented.
2. Tester should also ensure that defined length of input fields does not accommodate any script input as well as tag input. Both these can be easily tested

       e.g. if 20 is the maximum length specified for ‘Name’ field; and input string “thequickbrownfoxjumpsoverthelazydog” can verify both these constraints. It should also be verified by the tester that application does not support anonymous access methods. In case any of these vulnerabilities exists, the application is in danger.

   Approach to Software Security Testing

• Study of Security Architecture
• Analysis of Security Requirements
• Classifying Security Testing
• Developing ObjectivesThreat Modeling
• Test Planning
• Execution
• Reports