marlabs test digest january 2014
DESCRIPTION
This is the time when we in the software industry look forward to new developments, trends & opportunities in the year ahead. As per Gartner, " The convergence of 4 powerful forces social, mobile, cloud and information, continues to drive change and create new opportunities". Included in Gartner's top ten technologies and trends that will be strategic for most organizations in 2014 and the near future are - Mobile tech 1) Device diversity 2) Growth of apps. Cloud - 1) Hybrid Cloud, 2) Personal Cloud, 3) Cloud-Client architecture, apart from others like the the Internet of Things, Smart Machines etc. Even in our context, we have seen during 2013 that many of the new projects had a strong presence of mobile testing, testing for multiple platforms,/devices/browsers, cloud abased test environs and functional./performance testing delivered over the cloud. This looks all set to continue and grow further during the year. We have a focus to deepen competencies and come out with value added solutions specifically in these areas - of which you will hear more in the days to come, .TRANSCRIPT
January 2014
Marlab’s
I N S I D E T H I S
I S S U E :
Security Testing :
An Overview 2
Marlabs Testing
Updates 6
Quality News &
Views 7
Know Your Mate 8
Cartoon Space 8
We look forward to collaboratively expand the growth of
Testing services at Marlabs and
make 2014 a successful year for all of us.
Volume V
T E S T D I G E S T © 2 0 1 4 M A R L A B S S O F T W A R E P V T L T D P A G E 2
In 2009, Heartland Payment Systems, Inc., A leading provider of debit, prepaid, and
credit card processing company which processes more than 11 million transactions a day and more than
$120 billion transactions a year acknowledged that it had been the target of a data breach with 134 mil-
lion credit and debit cards exposed to fraud. A group of Hackers used most commonly used SQL injection
to install spyware on Heartland's data systems and stole the credit card data. It could have been avoided
if proper and complete security testing had been performed on the application. It is clear that attacks
targeting web applications are on the rise, as stories like these are all too common. Common flaws such
as SQL injection, cross-site scripting, poor input validation and broken authentication conditions make it
possible for attackers to easily infiltrate these applications to disrupt application availability and destroy
or steal sensitive and private information like Social Security numbers and credit card numbers. Also, vul-
nerable web applications not only allow these miscreants to steal and manipulate information within that
application, but also to use it as an entry point to the corporate network and back-end applications.
In order to understand security testing, we will have to first understand what security is:
What is Security?
Security is a set of measures to protect an application against unforeseen actions that cause it to stop
functioning or being exploited. Unforeseen actions can be either intentional or unintentional.
What is Security testing?
Security Testing ensures that system and applications in an organization are free from any loopholes that
may cause a big loss. Security testing of any system is about finding all possible loopholes and weakness-
es of the system which might result into loss of information at the hands of the employees or outsiders of
the Organization.
Ashwani Singha
The goal of security testing is to identify threats
in the system and measure its potential vulnerabilities.
Security testing of any applications or software should
cover the six basic security concepts:
1. Confidentiality: A security measure which protects against the disclosure of information to parties
other than the intended recipient.
2. Integrity: A measure intended to allow the receiver to determine that the information which it is
providing is correct.
3. Authentication: The process of establishing the identity of the user. Authentication can take many
forms including but not limited to: passwords, biometrics, and radio frequency, identification, etc.
4. Authorization: The process of determining that a requester is allowed to receive a service or perform
an operation.
5. Availability: Assuring information and communications services will be ready for use when expected.
Information must be kept available to authorized persons when they need it.
6. Non-repudiation: A measure intended to prevent the later denial that an action happened, or a com-
munication that took place etc. In communication terms this often involves the interchange of authen-
tication information combined with some form of provable time stamp.
Integration of security processes with the SDLC:
One of the most common questions is when to perform Security Testing? Most of the people believe that effective way to perform security testing is , when application is completely developed and de-ployed on production like environment (often referred as Staging or Pre-Prod environment). But it is more effective when implemented during every phase of SDLC. It is always agreed, that cost will be more, if we postpone security testing after software implementation phase or after deployment. So, it is necessary to involve security testing in SDLC life cycle in the earlier phases. Let’s look into the corre-sponding Security processes to be adopted for every phase in SDLC
P A G E 3
continuation of ‘Security Testing ..’
T E S T D I G E S T © 2 0 1 4 M A R L A B S S O F T W A R E P V T L T D
SDLC Phases Security Processes
Requirements Security analysis for requirements and check abuse/misuse
cases
Design Security risk analysis for designing. Development of test plan
including security tests
Coding and Unit Testing Static and Dynamic Testing and Security white box testing
Integration Testing Black Box Testing
System Testing Black Box Testing and Vulnerability scanning
Implementation Penetration Testing, Vulnerability Scanning
Support Impact analysis of Patches
P A G E 4 T E S T D I G E S T © 2 0 1 4 M A R L A B S S O F T W A R E P V T L T D
Application security Application Security is usually the use of software, hardware, and procedural methods to protect applications from external threats.
Application Security Testing Objective
The major objectives of the Application Security Testing are to:
1. Identify and understand the existing vulnerabilities
2. Provide recommendations and corrective actions for improvement
3. Examine and analyze the safeguards of the system and the operational environment
How to Approach Application Security Testing :
There are many ways to perform Application security testing but a key approach is Web Application Penetra-
tion Testing (WAPT). WAPT is a legally authorized, non-functional assessment, carried out to identify loop-
holes or weaknesses, otherwise known as vulnerabilities. These vulnerabilities, exploited by a malicious user
(attacker/hacker), may affect the confidentiality, integrity, availability of the web application and/or infor-
mation distributed by it. Some of the loopholes or vulnerabilities plaguing web applications are SQL Injection
(Structured Query Language Injection), XSS (Cross Site Scripting), CSRF (Cross Site Request Forgery), Remote
File Include, etc. Apart from these, vulnerabilities may exist in the underlying infrastructure like Operation
System, Web Server, Application Server, Database Server, etc. Thereby, WAPT aims at identifying and re-
porting the presence of these vulnerabilities.
Benefits of WAPT :
1. Proactive protection of information assets against hacking and unauthorized intrusions
2. Provides an insight into the current security posture of the given web application
3. Provides a hacker’s eye view of the web application
4. Aids in mitigating costs improving goodwill and brand value
WAPT Methodology Overview :
WAPT is carried out in a phased manner in order to ensure optimum coverage and at the same time simulate
the fluid actions of a real time hacker. The following figure depicts the flow:
continuation of ‘Security Testing ..’
“There are 10
types of people
in this world:
those who un-
derstand binary
and those who
don’t. “
-- Anonymous
P A G E 5 T E S T D I G E S T © 2 0 1 4 M A R L A B S S O F T W A R E P V T L T D
There are five phases to perform WAPT on the Application under
testing.
Phase 1:- Information Gathering This is the most critical phase in the methodology as all further phases depend on this. As a part of this phase, information about the target web application collected. It includes detail of all soft-ware, Hardware, server, end users and information provided by the application Phase 2:- Planning and Analysis All the data gathered in the above phase, is converted into usable information, in the form of a customized test plan. An important step in this phase is to prepare a checklist of tasks or areas (URLs) or applicable vulnerabilities to cover.
0 Phase 3:- Vulnerability Assessment This phase can also be dubbed as active information gathering phase. Various automated scans run against the target application and its underlying infrastructure (server(s) and network) to get the list of all such areas within application which can be exploited by hackers or vulnerable to malicious attacks. There are many vulnerability assessment tools like Nessus and SARA which can be used to perform vulnera-bility Assessment. Phase 4:- Attack/Penetration It is under this phase that the actions of a web application hacker are emulated. Based on the information gathered and analyzed in previous phases and following the customized test plan, attacks are carried out to identify the presence of vulnerabilities in the application. The techniques and tools used should be the same as those used by a real hacker. This is done in order to gain a hacker’s eye view of the application. There are many automated tools which can be used to perform Pen test. In most of the cases single tools does not fulfill the entire requirement so a combi-nation of tool is required to get the maximum result. Web-Scarab, NMAP, BURP Suite, IBM App Scan, Acunetix Vulnera-bility Scanner, HP Web Inspect etc. are few tools which one can use to perform Pen test. Phase 5:- Reporting At the end of the Attack/Penetration phase, a comprehensive report prepared detailing each finding, assign-ing a suitable severity level to each, delineating the steps necessary to reproduce the vulnerability, and sug-gesting recommendations to address every vulnerability found during assessment. Top 10 list of web Application security threats The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization
focused on improving the security of software. Most of the companies who do perform security testing fol-
low OWASP model and top threats to validate their application. Based on the ongoing trend and attacks in
web world they prepare top 10 list of web Application security threat every 3 years. On June 6, 2013, OWASP
foundation released the official updated Top 10 web vulnerabilities list for year 2013 onwards. These top ten
threats should always be considered when performing Security testing on any web application.
For the current list of top 10 threats, please refer to
https://www.owasp.org/index.php/Top_10_2013-Top_10
continuation of ‘Security Testing ..’
"Everything is
theoretically
impossible, until
it is done.” –
Robert A. Heinlein
P A G E 6
Website Security Webinars & Presentations
This takes to a collection of presentations and webinars focused on Web App Security
https://www.whitehatsec.com/resource/presentation.html
Testing Principles through Story Telling Understanding the testing principles through story telling helps in understanding the principles through stories.
http://www.techgig.com/webinars/Testing-Principles-through-Story-Telling-460
Testing @ Cross Roads Evolution of Testing thru the evolution of disruptive & emerging technologies
http://www.techgig.com/webinars/Testing-Cross-Roads-457
Webinars >>
Automated Security Testing of web applications using OWASP Zed Attack Proxy This doc talks about the security testing tool ZAP
https://blog.codecentric.de/en/2013/10/automated-security-testing-web-applications-using-owasp-zed-attack-proxy/
SANS Mobile Application Security Whitepaper This talks about the current state of organizational awareness regarding mobile application risk as well as how enterprises are mitigating this risk
https://info.veracode.com/whitepaper-sans-mobile-application-security.html
A Strategic Approach to Web Application Security This white paper breaks down the total cost factors of Web application security in specific risk categories associated with successful attacks
https://www.whitehatsec.com/resource/whitepapers.html
SQL Injection Cheat Sheet Find out how attackers exploit SQL flaws and how to fix and prevent SQL Injection vulnerabilities.
https://info.veracode.com/sql-injection-cheat-sheet.html
ThreadFix Open Source Software Vulnerability Management Tool This doc talks about the security testing tool ThredaFix
http://www.denimgroup.com/resources-threadfix/
Cyber-Security Risks in Public Companies Study of Software Related Cyber-Security Risks in Public Companies
https://info.veracode.com/state-of-software-security-volume-4-supplement.html
eBooks , Whitepapers & Columns >>
T E S T D I G E S T © 2 0 1 4 M A R L A B S S O F T W A R E P V T L T D
Cloud Security for e-commerce & banking Ways to implement security on cloud environment
http://www.techgig.com/expert-speak/IT-Security-Series-Session-6-Cloud-Security-for-e-commerce-banking-348
A Web Security Testing Program With Owasp Zap And Threadfix A Web Security Testing Program With Owasp Zap And Threadfix
http://blog.denimgroup.com/denim_group/2013/04/webinar-recording-online-running-a-web-security-testing-program-with-owasp-zap-
and-threadfix.html
P A G E 7 T E S T D I G E S T © 2 0 1 4 M A R L A B S S O F T W A R E P V T L T D
Rajesh Sundararajan .
Sriharsha Kumar B R .
Murali Dubutavalu .
Varaprasadarao Yarra .