Diving deeper into security testing
With the world increasingly relying on software and the internet for just about anything, it only makes sense that security receives so much focus. After all, with so much critical data lying around, it is important that companies place heavy emphasis on security testing and the process of identifying their security flaws to ensure their software is safe.
The biggest issue with software security and testing or it though is the pace of change in the number and types of vulnerabilities. While there are ways we can secure our code from a wide number of vulnerabilities and known detections, that doesn’t mean that there aren’t a variety of other potentials security holes that could come from any number of issues from third-party applications, browsers, operating systems and networking systems that are often beyond your control. Still, conducting some of the testing methods below should help to ensure that you can detect all possible known security risks and fix these problems correctly during development.
One of the main reasons I’ve seen people stay clear of security testing is because they believe it is a very niche and highly expertised form of testing and thus leave it to the security professionals and ethical hackers out there to get involved in. And I personally vouch to always ensure that companies follow these forms of expertise, largely because security is not something you can compromise on. However, there is a lot that any tester or engineer can bring to the table in the security testing process, and the more regularly you test around your security, the easier it is for security to be maintained even when delivering changes to software rapidly.
Types of Security Testing:
Mainstream entertainment may show hackers or security professionals as these highly sophisticated and cool coders, but the truth is that a lot of security testing and the ethical hacking components of it is a lot more reliant on using many tools and tricks to help find flaws rather than a result of some programmatic genius.
There are seven main types of security tests and assessments that you will need to be aware of and consider apply to your software system. Each topic can easily be delved into in more detail by security experts, however, I will admit that I am not one. It is important though to understand these all at a high level and know when and where to apply them to help ensure the correct security measures are in place in your software:
Vulnerability Scanning: This is done through automated software to scan a system against known vulnerability signatures. It will scan your code and look for parts of your code that are vulnerable to the likes of SQL or code injections, along with many other knowing vulnerabilities that may exist in certain packages.
Security Scanning: It involves identifying network and system weaknesses and identifying solutions for reducing these risks. Much like vulnerability scanning, there are many tools available that can scan networks to identify these risks.
Penetration testing: This kind of testing simulates an attack from a malicious hacker. This testing involves the analysis of a particular system to check for potential vulnerabilities to an external hacking attempt. This differs from the traditional ethical hacking described later, as it reproduces a known approach and can be automated, rather than having a group of hackers looking to replicate and find flaws in a more exploratory manner.
Risk Assessment: Less a form of testing and more an evaluation of the different risks to help identify what needs to be prioritised and focused on most importantly. Risks are classified as Low, Medium, and High. These controls and measures are normally associated with each risk to help identify ways of mitigating it to further help an organisation make the right decisions in tackling these security risks.
Security Auditing: This is an internal inspection of Applications and Operating systems for security flaws. An audit can also be done via line by line inspection of code.
Ethical hacking: It's hacking an Organization Software system. Unlike malicious hackers, who steal for their own gains, the intent is to expose security flaws in the system.
Posture Assessment: An extension of the risk assessment above. This combines Security scanning, Ethical Hacking, and Risk Assessments to show an overall security posture of an organization.
How to do Security Testing
Much like all other phases of software development, the earlier you can identify and prevent security flaws, the better. This shouldn’t be something left to the end of a project. It’s also something that teams should formulate a strategy for addressing and utilise various tools and approaches to help them identify security flaws through their development lifecycles and sprints.
The above phases show the type of testing that should be conducted at each phase of a development lifecycle. This is obviously blurred in an agile and DevOps world, but the importance of covering all these aspects of testing is incredibly important.
Have a properly documented strategy
One of the things though that is very important when it comes to security testing that is often disregarded these days is that of a proper strategy. While people have forgone many aspects of documentation and rather built traceability in through their various tools and worked in a more ad-hoc and flexible approach, with security you can’t take chances and as such you need to ensure that a proper strategy is developed, documented and clearly implemented in the SDLC as above so that teams are clear when and how to test for vulnerabilities.
Having it properly documented and outlined also makes it easier from an auditing perspective, because that is one aspect of your development that auditors will latch on to and you want to ensure you have your bases covered here.
Any proper test strategy around security should include the following:
Security-related test cases or scenarios
Test Data related to security testing
Test Tools required for security testing
Analysis of various tests outputs from different security tools
The reason for this multi-pronged approach is because software security is complex, but also something that you can’t compromise on. You want to hit it in as many places as possible and as often as possible.
Included in your test strategy should not be a documented outline of approach, tools, and analysis, but often helpful to include specifics on which tests needed to be executed as a bare minimum outside of the default scans, to ensure that many basics are taken care of.
Examples of Test Scenarios for Security Testing:
Sample Test scenarios to give you a glimpse of security test cases -
A password should be in an encrypted format
Application or System should not allow invalid users
Check cookies and session time for application
For financial sites, the Browser back button should not work.
Methodologies/ Approach / Techniques for Security Testing
In security testing, different methodologies are followed, and they are as follows:
Tiger Box: This hacking is usually done on a laptop that has a collection of OSs and hacking tools. This testing helps penetration testers and security testers to conduct vulnerabilities assessment and attacks.
Black Box: Tester is authorised to do testing on everything about the network topology and the technology.
Grey Box: Partial information is given to the tester about the system, and it is a hybrid of white and black box models.
Security Testing Tools
Given the reliance of tools to be able to assess and detect security vulnerabilities effectively, it's important to have a look at some of the different tools available to help companies assess which will work for them.
The Open Web Application Security Project (OWASP) is a worldwide non-profit organization focused on improving the security of software. The project has multiple tools to pen test various software environments and protocols. Flagship tools of the project include
Zed Attack Proxy (ZAP – an integrated penetration testing tool)
OWASP Dependency Check (it scans for project dependencies and checks against know vulnerabilities)
OWASP Web Testing Environment Project (collection of security tools and documentation)
Wireshark is a network analysis tool previously known as Ethereal. It captures packet in real-time and displays them in a human-readable format. Basically, it is a network packet analyser - which provides the minute details about your network protocols, decryption, packet information, etc. It is open-source and can be used on Linux, Windows, OS X, Solaris, NetBSD, FreeBSD, and many other systems. The information that is retrieved via this tool can be viewed through a GUI or the TTY mode TShark Utility.
w3af is a web application attack and audit framework. It has three types of plugins; discovery, audit, and attack that communicate with each other for any vulnerabilities in the site, for example, a discovery plugin in w3af looks for different URL's to test for vulnerabilities and forward it to the audit plugin which then uses these URL's to search for vulnerabilities.
You can't promise on the security of your software and therefore can't afford to compromise on the effectiveness of your thing strategy towards it. And it's not just for certain experts, but vital that every member of a team does their part to ensure secure coding practices and proper testing efforts are followed.