Why Security Testing
- For Finding Loopholes
- For Zeroing IN on Vulnerabilities
- For identifying Design Insecurities
- For identifying Implementation Insecurities
- For identifying Dependency Insecurities and Failures
- For Information Security
- For Process Security
- For Internet Technology Security
- For Communication Security
- For Improving the System
- For confirming Security Policies
- For Organization wide Software Security
- For Physical Security
What is Security Testing
- It is a type of non-functional testing.
- Security testing is done to check security, information leakage, authorization issuse, Data and maintains functionalities.
- The six basic security concepts that need to be covered by security testing are: confidentiality, integrity, authentication, availability, Data Security and non-repudiation.
Security Testing Techniques
Access to Application - Roles and Rights Management.
Data Protection - a user can view or utilize only the data which he is supposed to use
Brute-Force Attack-software attempts to guess the associated password by trying to login again and again.
SQL Injection and XSS - malicious script is used by the hackers in order to manipulate a website.
Service Access Points - Sealed and Secure Open
Example:In a Hospital Management System a receptionist is least concerned about
the laboratory tests as his job is to just register the patients and schedule their
appointments with doctors. So, all the menus, forms and screen related to lab tests
will not be available to the Role of ‘Receptionist’. Hence, the proper
implementation of roles and rights will guarantee the security of access.
the laboratory tests as his job is to just register the patients and schedule their
appointments with doctors. So, all the menus, forms and screen related to lab tests
will not be available to the Role of ‘Receptionist’. Hence, the proper
implementation of roles and rights will guarantee the security of access.
Access to Application
How to Test
- Tester should create several user accounts with different as well multiple roles
- Then he should use the application with the help of these accounts and should verify that every role has access to its own modules, screens,forms and menus only
- If tester finds any conflict, he should log a security issue with complete confidence.
Data Protection
How to Test Data Protection
- The tester should query the database for ‘passwords’ of user account, billing information of clients, other business critical and sensitive data and should verify that all such data is saved in encrypted form in the DB
- Tester must verify that forms or screens, data is transmitted after proper encryption.
- Moreover, tester should ensure that the encrypted data is properly decrypted at the destination
- Special attention should be paid on different ‘submit’ actions.
- The tester must verify that when the information is being transmitted between client and server, it is not displayed in the address bar of web browser in understandable format
- If any of these verification's fail, the application definitely has security flaw.
Brute-Force Attack:
How to test Brute-Force Attack
- Tester must attempt to login with invalid user IDs and Passwords alternatively to make sure that software application blocks the accounts that continuously attempt login with invalid information.
- If the application is doing so, it is secure against brute-force attack. Otherwise, this security vulnerability must be reported by the tester.
- SQL Injection and XSS (cross site scripting)
- How to test SQL Injection and XSS
- Tester must ensure that maximum lengths of all input fields are defined and implemented.
- Tester should also ensure that defined length of input fields does not accommodate any script input as well as tag input. Both these can be easily tested
e.g. if 20 is the maximum length specified for ‘Name’ field; and input string “thequickbrownfoxjumpsoverthelazydog” can verify both these constraints. It should also be verified by the tester that application does not support anonymous access methods. In case any of these vulnerabilities exists, the application is in danger.
Service Access Points
How to test SQL Injection and XSS
- Tester must ensure that maximum lengths of all input fields are defined and implemented.
- Tester should also ensure that defined length of input fields does not accommodate any script input as well as tag input. Both these can be easily tested
e.g. if 20 is the maximum length specified for ‘Name’ field; and input string “thequickbrownfoxjumpsoverthelazydog” can verify both these constraints. It should also be verified by the tester that application does not support anonymous access methods. In case any of these vulnerabilities exists, the application is in danger.
Approach to Software Security Testing
- Study of Security Architecture
- Analysis of Security Requirements
- Classifying Security Testing
- Developing ObjectivesThreat Modeling
- Test Planning
- Execution
- Reports
No comments:
Post a Comment