January 2014

Marlab’s

I N S I D E T H I S

I S S U E :

Security Testing :

An Overview 2

Marlabs Testing

Updates 6

Quality News &

Views 7

Know Your Mate 8

Cartoon Space 8

We look forward to collaboratively expand the growth of

Testing services at Marlabs and

make 2014 a successful year for all of us.

Volume V

T E S T D I G E S T © 2 0 1 4 M A R L A B S S O F T W A R E P V T L T D P A G E 2

In 2009, Heartland Payment Systems, Inc., A leading provider of debit, prepaid, and

credit card processing company which processes more than 11 million transactions a day and more than

$120 billion transactions a year acknowledged that it had been the target of a data breach with 134 mil-

lion credit and debit cards exposed to fraud. A group of Hackers used most commonly used SQL injection

to install spyware on Heartland's data systems and stole the credit card data. It could have been avoided

if proper and complete security testing had been performed on the application. It is clear that attacks

targeting web applications are on the rise, as stories like these are all too common. Common flaws such

as SQL injection, cross-site scripting, poor input validation and broken authentication conditions make it

possible for attackers to easily infiltrate these applications to disrupt application availability and destroy

or steal sensitive and private information like Social Security numbers and credit card numbers. Also, vul-

nerable web applications not only allow these miscreants to steal and manipulate information within that

application, but also to use it as an entry point to the corporate network and back-end applications.

In order to understand security testing, we will have to first understand what security is:

What is Security?

Security is a set of measures to protect an application against unforeseen actions that cause it to stop

functioning or being exploited. Unforeseen actions can be either intentional or unintentional.

What is Security testing?

Security Testing ensures that system and applications in an organization are free from any loopholes that

may cause a big loss. Security testing of any system is about finding all possible loopholes and weakness-

es of the system which might result into loss of information at the hands of the employees or outsiders of

the Organization.

Ashwani Singha

The goal of security testing is to identify threats

in the system and measure its potential vulnerabilities.

Security testing of any applications or software should

cover the six basic security concepts:

1. Confidentiality: A security measure which protects against the disclosure of information to parties

other than the intended recipient.

2. Integrity: A measure intended to allow the receiver to determine that the information which it is

providing is correct.

3. Authentication: The process of establishing the identity of the user. Authentication can take many

forms including but not limited to: passwords, biometrics, and radio frequency, identification, etc.

4. Authorization: The process of determining that a requester is allowed to receive a service or perform

an operation.

5. Availability: Assuring information and communications services will be ready for use when expected.

Information must be kept available to authorized persons when they need it.

6. Non-repudiation: A measure intended to prevent the later denial that an action happened, or a com-

munication that took place etc. In communication terms this often involves the interchange of authen-

tication information combined with some form of provable time stamp.

Integration of security processes with the SDLC:

One of the most common questions is when to perform Security Testing? Most of the people believe that effective way to perform security testing is , when application is completely developed and de-ployed on production like environment (often referred as Staging or Pre-Prod environment). But it is more effective when implemented during every phase of SDLC. It is always agreed, that cost will be more, if we postpone security testing after software implementation phase or after deployment. So, it is necessary to involve security testing in SDLC life cycle in the earlier phases. Let’s look into the corre-sponding Security processes to be adopted for every phase in SDLC

P A G E 3

continuation of ‘Security Testing ..’

T E S T D I G E S T © 2 0 1 4 M A R L A B S S O F T W A R E P V T L T D

SDLC Phases Security Processes

Requirements Security analysis for requirements and check abuse/misuse

cases

Design Security risk analysis for designing. Development of test plan

including security tests

Coding and Unit Testing Static and Dynamic Testing and Security white box testing

Integration Testing Black Box Testing

System Testing Black Box Testing and Vulnerability scanning

Implementation Penetration Testing, Vulnerability Scanning

Support Impact analysis of Patches

P A G E 4 T E S T D I G E S T © 2 0 1 4 M A R L A B S S O F T W A R E P V T L T D

Application security Application Security is usually the use of software, hardware, and procedural methods to protect applications from external threats.

Application Security Testing Objective

The major objectives of the Application Security Testing are to:

1. Identify and understand the existing vulnerabilities

2. Provide recommendations and corrective actions for improvement

3. Examine and analyze the safeguards of the system and the operational environment

How to Approach Application Security Testing :

There are many ways to perform Application security testing but a key approach is Web Application Penetra-

tion Testing (WAPT). WAPT is a legally authorized, non-functional assessment, carried out to identify loop-

holes or weaknesses, otherwise known as vulnerabilities. These vulnerabilities, exploited by a malicious user

(attacker/hacker), may affect the confidentiality, integrity, availability of the web application and/or infor-

mation distributed by it. Some of the loopholes or vulnerabilities plaguing web applications are SQL Injection

(Structured Query Language Injection), XSS (Cross Site Scripting), CSRF (Cross Site Request Forgery), Remote

File Include, etc. Apart from these, vulnerabilities may exist in the underlying infrastructure like Operation

System, Web Server, Application Server, Database Server, etc. Thereby, WAPT aims at identifying and re-

porting the presence of these vulnerabilities.

Benefits of WAPT :

1. Proactive protection of information assets against hacking and unauthorized intrusions

2. Provides an insight into the current security posture of the given web application

3. Provides a hacker’s eye view of the web application

4. Aids in mitigating costs improving goodwill and brand value

WAPT Methodology Overview :

WAPT is carried out in a phased manner in order to ensure optimum coverage and at the same time simulate

the fluid actions of a real time hacker. The following figure depicts the flow:

continuation of ‘Security Testing ..’

“There are 10

types of people

in this world:

those who un-

derstand binary

and those who

don’t. “

-- Anonymous

P A G E 5 T E S T D I G E S T © 2 0 1 4 M A R L A B S S O F T W A R E P V T L T D

There are five phases to perform WAPT on the Application under

testing.

Phase 1:- Information Gathering This is the most critical phase in the methodology as all further phases depend on this. As a part of this phase, information about the target web application collected. It includes detail of all soft-ware, Hardware, server, end users and information provided by the application Phase 2:- Planning and Analysis All the data gathered in the above phase, is converted into usable information, in the form of a customized test plan. An important step in this phase is to prepare a checklist of tasks or areas (URLs) or applicable vulnerabilities to cover.

0 Phase 3:- Vulnerability Assessment This phase can also be dubbed as active information gathering phase. Various automated scans run against the target application and its underlying infrastructure (server(s) and network) to get the list of all such areas within application which can be exploited by hackers or vulnerable to malicious attacks. There are many vulnerability assessment tools like Nessus and SARA which can be used to perform vulnera-bility Assessment. Phase 4:- Attack/Penetration It is under this phase that the actions of a web application hacker are emulated. Based on the information gathered and analyzed in previous phases and following the customized test plan, attacks are carried out to identify the presence of vulnerabilities in the application. The techniques and tools used should be the same as those used by a real hacker. This is done in order to gain a hacker’s eye view of the application. There are many automated tools which can be used to perform Pen test. In most of the cases single tools does not fulfill the entire requirement so a combi-nation of tool is required to get the maximum result. Web-Scarab, NMAP, BURP Suite, IBM App Scan, Acunetix Vulnera-bility Scanner, HP Web Inspect etc. are few tools which one can use to perform Pen test. Phase 5:- Reporting At the end of the Attack/Penetration phase, a comprehensive report prepared detailing each finding, assign-ing a suitable severity level to each, delineating the steps necessary to reproduce the vulnerability, and sug-gesting recommendations to address every vulnerability found during assessment. Top 10 list of web Application security threats The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization

focused on improving the security of software. Most of the companies who do perform security testing fol-

low OWASP model and top threats to validate their application. Based on the ongoing trend and attacks in

web world they prepare top 10 list of web Application security threat every 3 years. On June 6, 2013, OWASP

foundation released the official updated Top 10 web vulnerabilities list for year 2013 onwards. These top ten

threats should always be considered when performing Security testing on any web application.

For the current list of top 10 threats, please refer to

https://www.owasp.org/index.php/Top_10_2013-Top_10

continuation of ‘Security Testing ..’

"Everything is

theoretically

impossible, until

it is done.” –

Robert A. Heinlein

P A G E 6

Website Security Webinars & Presentations

This takes to a collection of presentations and webinars focused on Web App Security

https://www.whitehatsec.com/resource/presentation.html

Testing Principles through Story Telling Understanding the testing principles through story telling helps in understanding the principles through stories.

http://www.techgig.com/webinars/Testing-Principles-through-Story-Telling-460

Testing @ Cross Roads Evolution of Testing thru the evolution of disruptive & emerging technologies

http://www.techgig.com/webinars/Testing-Cross-Roads-457

Webinars >>

Automated Security Testing of web applications using OWASP Zed Attack Proxy This doc talks about the security testing tool ZAP

https://blog.codecentric.de/en/2013/10/automated-security-testing-web-applications-using-owasp-zed-attack-proxy/

SANS Mobile Application Security Whitepaper This talks about the current state of organizational awareness regarding mobile application risk as well as how enterprises are mitigating this risk

https://info.veracode.com/whitepaper-sans-mobile-application-security.html

A Strategic Approach to Web Application Security This white paper breaks down the total cost factors of Web application security in specific risk categories associated with successful attacks

https://www.whitehatsec.com/resource/whitepapers.html

SQL Injection Cheat Sheet Find out how attackers exploit SQL flaws and how to fix and prevent SQL Injection vulnerabilities.

https://info.veracode.com/sql-injection-cheat-sheet.html

ThreadFix Open Source Software Vulnerability Management Tool This doc talks about the security testing tool ThredaFix

http://www.denimgroup.com/resources-threadfix/

Cyber-Security Risks in Public Companies Study of Software Related Cyber-Security Risks in Public Companies

https://info.veracode.com/state-of-software-security-volume-4-supplement.html

eBooks , Whitepapers & Columns >>

T E S T D I G E S T © 2 0 1 4 M A R L A B S S O F T W A R E P V T L T D

Cloud Security for e-commerce & banking Ways to implement security on cloud environment

http://www.techgig.com/expert-speak/IT-Security-Series-Session-6-Cloud-Security-for-e-commerce-banking-348

A Web Security Testing Program With Owasp Zap And Threadfix A Web Security Testing Program With Owasp Zap And Threadfix

http://blog.denimgroup.com/denim_group/2013/04/webinar-recording-online-running-a-web-security-testing-program-with-owasp-zap-

and-threadfix.html

P A G E 7 T E S T D I G E S T © 2 0 1 4 M A R L A B S S O F T W A R E P V T L T D

Rajesh Sundararajan .

Sriharsha Kumar B R .

Murali Dubutavalu .

Varaprasadarao Yarra .