Software QA FYI - SQAFYI

Application Security Testing

By: Anamika Chowdhury

Application security issues are increasing threat now days. This is caused primarily by security bugs in an application's code. Application security vulnerabilities can allow a client to see another client's data. They can let hackers run queries on an application's back-end database, and possibly even take over the Web server itself.

Most organizations leave the discovery of Web application security issues to a dedicated security team, which tests the applications before they go live. Fixing the found issues then requires those teams to push the issues back to developers to perform a full iteration of late code changes, resulting in very high costs to fix what are often the simplest security bugs.

The primary reason for testing the security of an operational system is to identify potential vulnerabilities and subsequently repair them

This White Paper focuses on black box testing technologies that are unique to software security testing.

System testing ensures that the entire integrated software system meets requirements. It tests a configuration to ensure known and predictable results. System testing is based on process descriptions and flows, emphasizing pre-driven process links and integration points.

Within the security test arena, black box testing is normally associated with activities that occur during the pre-deployment test phase (system test) or on a periodic basis after the system has been deployed. Black box security tests are conducted to identify and resolve potential security vulnerabilities before deployment or to periodically identify and resolve security issues within deployed systems.

Security testing is concerned with checking that the system and its data are protected from accidental or malicious damage. The system must be secure against unanticipated as well as anticipated attacks. Security testing may be carried out by inviting people to try to penetrate the system through security loopholes.

Typically, vulnerabilities are exploited repeatedly by attackers to attack weaknesses that organizations have not patched or corrected. A report in a SANS Security Alert, dated May 2000, provides a discussion of this issue: “A small number of flaws in software programs are responsible for the vast majority of successful Internet attacks. A few software vulnerabilities account for the majority of successful attacks because attackers don't like to do extra work. They exploit the best-known flaws with the most effective and widely available attack tools. And they count on organizations not fixing the problems.”

Businesses have a legitimate reason to be concerned about potential security vulnerabilities within their systems. A great number of these incidents were due to the widespread use of automated attack tools that have simplified security scans and attacks and allowed them to rapidly be employed against Internet-connected computers and applications.

While the number of reported security incidents continues to rise, the CSI/FBI noted that the total monetary loss reported by 639 companies in 2005 was significant at $130,104,542 [Gordon 05]. In addition, CSI/FBI noted that the average financial loss of reporting organizations subjected to theft of proprietary information was $355,552, and those reporting losses due to unauthorized access to information averaged $303,234.

These figures describe significant financial losses that are the direct result of security incidents. Although security testing on its own is not a suitable substitute for using security best practices throughout the SDLC, black box test tools can help an organization begin to understand and address potential security issues within their systems. These tools allow testers to efficiently and in an automated manner conduct security scans for both known and unknown security vulnerabilities that may adversely impact an organization’s business. Armed with the results of the black box test effort, organizations can better understand and address the risks posed to their business.

Evaluation of system security can and should be conducted at different stages of system development. Securing and operating today’s complex systems is challenging and demanding. Mission and operational requirements to deliver services and applications swiftly and securely have never been greater. Organizations have invested precious resources and scarce skills in various necessary security efforts such as risk analysis, certification, accreditation, security architectures, policy development, and other security efforts.

There are four Basic Concepts of Security Testing * o Confidentiality – A security measure which protests against the disclosure of information to parties other then the intended recipient.
o Integrity - A measure intended to allow the receiver to determine that the information which it receives has not been altered in transit or by other than the originator of the information.
o Authentication – A measure designed to establish the validity of a transmission, message or originator and allows a receiver to have confidence that information it receives originated from a specific known source.
o Authorization – The process of determining that a requester is allowed to receive a service or perform an operation.

The term vulnerability is applied to a weakness in a system which allows an attacker to violate the integrity of that system. Vulnerabilities may result from weak password, software bugs, a script code injection, or a SQL injection. Below are some of the causes of Security failure:

* o Password Management Flaws The computer user uses weak passwords that could be discovered by brute force.
o Software Bugs – The programmer leaves an exploitable bug in a software program. The software bug may allow an attacker to misuse an application through (for example) bypassing access control checks.
o Unchecked User Input – The program assumes that all user input is safe. Programs that do not check user input can allow unintended direct execution of commands or SQL statements (known as SQL injection or other non-validated inputs).

Below are the main types of security testing:
* o Security Auditing: Security Auditing includes direct inspection of the application developed and Operating Systems & any system on which it is being developed. This also involves code walk-through.

o Security Scanning: It is all about scanning and verification of the system and applications. During security scanning, auditors inspect and try to find out the weaknesses in the OS, applications and network(s).

o Vulnerability Scanning: Vulnerability scanning involves scanning of the application for all known vulnerabilities. This scanning is generally done through various vulnerability scanning software.

o Risk Assessment: Risk assessment is a method of analyzing and deciding the risk that depends upon the type of loss and the possibility/probability of loss occurrence. Risk assessment is carried out in the form of various interviews, discussions and analysis of the same. It helps in finding out and preparing possible backup-plan for any type of potential risk, hence contributing towards the security conformance.

o Posture Assessment & Security Testing: This is a combination of Security Scanning, Risk Assessment and Ethical Hacking in order to reach a conclusive point and help your organization know its stand in context with Security.

o Penetration Testing: In this type of testing, a tester tries to forcibly access and enter the application under test. In the penetration testing, a tester may try to enter into the application/system with the help of some other application or with the help of combinations of loopholes that the application has kept open unknowingly. Penetration test is highly important as it is the most effective way to practically find out potential loopholes in the application.

o Ethical Hacking: It’s a forced intrusion of an external element into the system & applications that are under Security Testing. Ethical hacking involves number of penetration tests over the wide network on the system under test.

Often, several of these testing techniques are used together to gain more comprehensive assessment of the overall network security posture.

Security testing is often regarded as something that takes place at the end of the software development life cycle. However, greater success can be achieved by integrating security testing throughout the life cycle. As with any kind of defect, software vulnerabilities are easier and cheaper to address if they are found earlier.

Following are some activities, which needs to be done in SDLC:
* o Security-based requirements were developed.
o Security-based risk assessments to identify areas of greatest risk to the business and the technology platform were completed.
o Findings from the risk assessments were addressed in the security architecture and implementation.
o Security-based design and architecture reviews were conducted.
o Security training was provided to developers.
o Code reviews were conducted on security-critical components.

Black box test activities almost universally involve the use of tools to help testers identify potential security vulnerabilities within a system. Among the existing available toolsets, there are subsets of tools that focus on specific areas, including network security, database security, security subsystems, and web application security. There are many excellent freeware (no fee required for license) and shareware (requires nominal fee for license) security tools. However, great care should be used in selecting freely available tools. Generally, freeware/shareware tools should not be used unless an expert has reviewed the source code or they are widely used and are downloaded from a known safe repository.

The tools are frequently used in both the pre-deployment and post-deployment test cycles. Some of these tools provide rather sophisticated functionality, including capabilities to develop and enforce organization security policies, the ability to create custom rules, the automated scheduling of application security tests, and comprehensive vulnerability databases that attempt to address zero-day attacks. There are number of applications which have been developed to assist the black box tester with locating web application vulnerabilities.

Full article...

Other Resource

... to read more articles, visit

Application Security Testing