The Basic Guide to Security Testing
Why is security testing necessary?
It is mainly due to the reliance of businesses on software and the increasing use of open-source components for developing software. As these open-source components extend across the organization, access various types of sensitive data, and become relevant to daily operations, the risk associated with data breach or exploitation of vulnerable code grows enormously.
What are the types of security threats?
The following threats are used to take advantage of security vulnerabilities:
Cross-Site Scripting (XSS)
XSS is a computer security vulnerability found in web applications. It allows attackers to inject client-side script into web pages viewed by other users and trick a user into clicking on that URL. Once executed by the other user’s browser, the code can then perform actions including completely changing the website’s behavior, stealing personal data, or performing actions on the legitimate user’s behalf.
Here, hackers change data used by a website to gain some advantage or embarrass the website’s owner/s. Hackers often gain access to HTML pages and change them to be satirical or offensive.
Denial of Service (DoS)
DoS attack is an explicit attempt to make a machine or network resource unavailable to its legitimate users. Applications are also attacked in ways that render them and, sometimes, the entire machine unusable.
It is a technique where a hacker uses the credentials of a legitimate user or device to launch attacks against network hosts, steal data, or bypass access controls. To prevent this attack, we need to have IT-infrastructure and network-level mitigations.
It is a type of attack where hackers have an account on a system and use it to increase their system privileges to a higher level than they are meant to have. If successful, this attack can result in hackers gaining privileges as high as root on a UNIX system. Once hackers gain super-user privileges, they can run code with this level of privilege and the entire system is compromised.
It is the most common application layer attack technique used by hackers wherein malicious SQL statements are embedded into an entry field for execution. This attack is critical as an attacker can get critical information from the server database. It takes advantage of loopholes present in the implementation of web applications that allow a hacker to hack the system. When checking SQL injections, it is crucial to take care of input fields such as text boxes, comments, etc. Meanwhile, to prevent these injections, it is vital to handle special characters properly or skip them from the input.
Unauthorized Data Access
This attack involves gaining unauthorized access to data via data-fetching operations or by monitoring others’ access.
It is the process of manipulating website URL query strings to capture important information. It happens when an application uses the HTTP GET method to pass information between the client and the server. The tester can modify a parameter value in the query string to check if the server accepts it.
When identifying and remediating these threats, it is crucial to implement different types of security testing techniques.
What are the different security testing techniques?
With the rise of various attack methods, businesses can no longer solely rely on examining the problem with code components. Through the following security testing techniques, we will be able to examine what malicious hackers may do with codes to carry out an attack:
Static Application Security Testing (SAST)
SAST searches for signs of security vulnerabilities within software code and binaries while an application is at rest. Runtime configuration and access control errors are not identified with this method and may yield a lot of false positives or negatives.
Dynamic Application Security Testing (DAST)
DAST seeks to identify vulnerable conditions within a running application using techniques such as cross-site scripting and fault injection. This method can identify runtime errors that may have missed by SAST.
Interactive Application Security Testing (IAST)
IAST uses both SAST and DAST methods, doing so from within an application. It explores application code, connection information, frameworks, libraries, request and responses, runtime controls, etc.
Open Source Vulnerability Management (OSVM)
From the term itself, OSVM focuses on open-source components which may pose a threat to an organization. It often identifies open-source security risks, license compliance, and code quality risks.
SAST and DAST methods satisfy security testing needs for custom code but fail to dissect open-source components, unlike OSVM. It is better to prevent vulnerable open-source components from entering projects (using OSVM) than discover and resolve vulnerabilities after deployment. With the proper use of OSVM, businesses can enhance software security by automatically identifying all open-source components, cataloging them in a bill of materials (BOM) and mapping the BOM to known vulnerabilities, as well as instantly identifying and locating vulnerable code and initiating a remediation process.
What are the types of security testing services?
The following are the main types of security testing services:
It is an internal inspection of applications and operating systems (OSs) for security flaws which can also be done via line-by-line inspection of the code.
This type of hacking intends to expose security flaws in a system (unlike malicious hackers who steal for their own gains).
This assessment involves the analysis of security risks observed in an organization (which are classified as low, medium, and high); recommends controls and measures to reduce the risk
It involves identifying network and system weaknesses and providing solutions for reducing these risks. It can be performed for both manual and automated scanning.
This assessment describes the overall security posture of an organization; combines ethical hacking, risk assessment, and security scanning to show an overall security posture of an organization.
If an end product requires passing a specific certification (such as ISO, IEC, PIC DSS, or Section Compliance), Testing Hero can include custom test parameters to encompass this.
This testing type simulates an attack from a malicious hacker and involves the analysis of a particular system to check for potential vulnerabilities to an external hacking attempt. Testing Hero’s penetration testing services comprise of localized and network security measuring aimed to assess vulnerability and risk.
This type of testing is done through automated software to scan a system against known vulnerability signatures. Testing Hero has tested and developed multiple in-depth automation scripts that test the most commonly found vulnerabilities in web, mobile, and server-based software.
What is the process involved in security testing?
1. Study the business requirements, security goals, and objectives concerning the security compliance of the organization.
2. Analyze the requirements of the application under test.
3. Collect all system setup information used for the development of software and networks such as OSs, technology, hardware and then make a list of vulnerabilities and security risks.
4. Based on the list, prepare a threat profile.
5. Based on the identified threats, vulnerabilities and security risks, prepare a test plan to address these issues. The test plan should include security-related test cases (or scenarios) and test data, security testing tools required, and analysis on various test outputs from different security tools.
6. For each identified threat, vulnerability and security risk, prepare a traceability matrix.
7. Prepare the security test case document.
8. Execute the security test cases and retest the defect fixes. Execute also the regression test cases.
9. Prepare a detailed report of the security tests which contains the threats and vulnerabilities identified, detailing risks, still open issues, etc.
What are the web application security testing tools to use?
Here are some of the web application security testing tools that are available for use:
BeEF (Browser Exploitation Framework) is a penetration testing tool which focuses on the web browser. It allows professional penetration testers to assess the actual security posture of target environment through the use of client-side attack vectors. The tool hooks one or more web browsers and uses them as beachheads to launch directed command modules and more attacks against the system from within the browser context.
Metasploit is a penetration testing tool which helps testers find security issues, verify vulnerability mitigations, and manage security assessments. It has four editions: Pro (for penetration testers and IT security teams), Express (for IT generalists in SMBs), Community (for students and small companies), and Framework (for developers and security researchers).
Nmap (Network Mapper) is a free and open-source security scanner, port scanner, and network exploration tool. It uses raw IP packets to determine what hosts are available on the network, what services those hosts are offering, what OS versions they are running, what type of packet filters/firewalls are in use, and so on. It runs on all major computer OSs, and official binary packages are available for Linux, Windows, and Mac OSX.
Wireshark is a network protocol analyzer which shows what is happening on a network at a microscopic level. It is used by network pros for troubleshooting, analysis, software and protocol development.
ZAP (Zed Attack Proxy) is a free security tool which is actively maintained by hundreds of international volunteers. It can help in automatically finding security vulnerabilities in web applications and is a great tool for experienced testers conducting manual security testing.
Data authentication, authorization, availability, confidentiality, integrity, non-repudiation, and resilience are the foundations of user trust. Thus, software security should be considered throughout the project. With the help of the web application security testing tools above, the security threats discussed in this article will not be able to get in the way.