Security Risks and Testing

As technology becomes an increasingly integral part of personal lives and business, web applications are being used for more and more social interactions and business transactions. However, while there are users adopting and embracing these changes, there are other criminal minds at work, looking for ways to hack web applications for their own gains.
According to the Internet Security Threat Report 2017 published by Symantec:

  • Over 1 billion identities were exposed in data breaches in 2016
  • There were over 460K ransomware attacks and the average ransom amount was over USD 1000
  • 76% of the scanned websites had vulnerabilities

For an enterprise that falls victim to cyber-attacks, the price is huge and potentially crippling. There is financial loss, loss of credibility and customer trust, and brand damage, and in order to prevent these, security testing is essential.

Web application security testing verifies that the system protects data and maintains its intended functionality. It involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities. The primary purpose is to identify vulnerabilities and repair them.

Common Vulnerabilities

We need to be aware of the common vulnerabilities that are seen in web applications, and ensure that we are taking the necessary steps to protect against them.

Information leakage:

This is a weakness where the application reveals sensitive data, such as technical details of the web application, environment, or user-specific data. This sensitive data may be misused by attackers to exploit the target web application, its hosting network, or users.

Cross Site Scripting:

An attempt to hack websites and steal cookies by executing malicious scripts is called Cross Site Scripting. The web application needs to be checked for cross-site scripting and restricted from accepting outside HTML scripts.

Content Spoofing:

This is a type of attack where malicious hackers present a faked or modified Web site to the user as if it were legitimate. The intent may be to to defraud victims (as in phishing) or to misrepresent the entity.

Brute Force:

This is a trial and error method used by application programs to decode encrypted data such as passwords or Data Encryption Standard (DES) keys, through exhaustive effort – ‘brute force’ – rather than technical methods.

Cross Site Request Forgery:

Also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts.

URL Redirection:

A URL Redirection attack is a kind of vulnerability that redirects you to another page out of the original website when accessed, usually integrated with a phishing attack.

Insufficient Authorization:

An application may have an Insufficient Authorization vulnerability if it allows a user to perform an action without checking if the user has the necessary privileges. This allows attackers to carry out actions that are not intended by the application. For example, if privileges are not checked properly, an attacker with an unprivileged account may be able to upload files to the server, even if the application should not allow that by design.

Insufficient Transport Layer Protection:

This vulnerability allows communication to be exposed to untrusted third-parties, providing an attack vector to compromise a web application and steal sensitive information. Websites typically use Secure Sockets Layer/ Transport Layer Security (SSL/TLS) to provide encryption at the transport layer. However, unless the website is configured to use SSL/TLS properly, it may be vulnerable to traffic interception and modification.

SQL injection:

Web applications that use databases are prone to SQL injections in which hackers inject their own SQL code which is then executed by the application. Testing needs to ensure that the applications reject user inputs such as special characters or quotes (‘) from being inserted into the application database.

HTTP Response Splitting:

This is a form of web application vulnerability resulting from the failure of the application or its environment to properly sanitize input values. It can be used to perform cross-site scripting attacks, cross-user defacement, web cache poisoning, and similar exploits.

The six basic security concepts

The objective of security testing is to ensure the following;

  • Confidentiality

    Information should be accessible to only those with authorized access

  • Integrity

    A measure intended to allow the receiver to determine that the information which it is providing is correct

  • Authentication

    Establishes the identity of the user

  • Authorization

    User should receive a service or perform an action for which he has permission

  • Availability

    Information and communication services should be ready any time, as needed

  • Non-repudiation

    Prevent later denial that an action happened

The Approach to Security Testing:

  • Threat Modeling:

    A threat model is essentially a structured representation of all the information that affects the security of an application, and a process for capturing, organizing, and analyzing all of this information. Threat modeling is done in order to take informed decisions about application security risk. A model is created, and a prioritized list of security improvements to the concept, requirements, design, or implementation. This helps to optimize Network/ Application/ Internet Security by identifying objectives and vulnerabilities, and putting countermeasures in place to prevent, or mitigate their effects. A threat is a potential or actual undesirable event that may be malicious (such as DoS attack) or incidental (failure of a Storage Device).
    Threat modeling is best applied continuously throughout a software development project. An outline of the methodology for Threat Modeling is:

    • Assessment scope
    • System Modeling
    • Identify threats
    • Identify vulnerabilities
    • Examining the threat history
    • Evaluation or impact on the business
    • Developing a Security Threat Response Plan
  • Test Planning:

    A test plan needs to be defined based on your specific requirements, such as what are the security features you are planning for, what vulnerabilities concern you the most and what kind of testing is required.

  • Test Execution:

    This involves performing the security test cases and retesting the defect fixes. Regression test cases are executed.

  • Report and Route Cause analysis:

    A detailed report of security testing about the vulnerabilities, risks identified, root causes, action taken and open issues.

The Smartsourcing Global Approach to Security Testing

  • Security testing

  • A thorough analysis of vulnerabilities and ensuring that the corrective action necessary is taken

  • Penetration testing

  • Identifying security loopholes that can potentially allow access to the system, its functionality and data.
    Targeted testing: Sometimes referred to as a “lights-turned-on” approach because everyone can see the test being carried out.
    External testing: Targets externally visible servers or devices including domain name servers (DNS), e-mail servers, Web servers or firewalls. The objective is to find out if an outside attacker can get in and how far they can get in once they’ve gained access.
    Internal testing: This test mimics an inside attack behind the firewall by an authorized user with standard access privileges. Useful for estimating how much damage a disgruntled employee could cause.
    Blind testing: Simulates the actions and procedures of a real attacker by severely limiting the information given to the person or team that’s performing the test beforehand.
    Double blind testing: Only one or two people within the organization might be aware a test is being conducted. Useful for testing an organization’s security monitoring and incident identification as well as its response procedures.

  • Mobile Apps Security testing

  • Automated testing of apps for multiple devices across multiple platforms over diverse networks
    Cloud-based mobile Testing Lab to upload locations or the apps for testing
    Automated security tests to identify embedded spywares, viruses, Trojans, data privacy, data leakage, unsolicited network connections, etc.
    Lab to verify security issues such as insecure file system, insecure data transmission, unsafe data storage, privilege access violations, etc.
    Analyses of results
    Assessment of automated code to secure mobile apps in agile environments.
    Inspection of all features of the apps in real-time in controlled environments
    Assessment of the apps using binary static analysis that expose malicious capabilities and vulnerabilities such as leakage of information.
    Industry and regulatory compliance
    Checking for new security threats

  • Network Security testing

  • To identify exploitable vulnerabilities in networks, systems, hosts and network devices (ie: routers, switches) and secure them
    Information Gathering: Asurvey of the network including architecture mapping and a complete network scan
    Scanning: Port scanning and war dialing that includes scanning open ports, closed ports, and filtered ports
    Fingerprinting: OS fingerprinting is conducted evaluating OS type, patch level, and system type followed by protocol identification
    Vulnerability Scanning: Automated scanning with access to a vulnerability database, where any vulnerabilities and exploits are verified
    Exploit Verification: Using manual verification and password cracking, available exploits are checked and retested if necessary to validate results.
    Reports: Findings and recommendations

  • Source code review for security flaws

  • Review of software documentation, coding standards, and guidelines.
    Identify security design issues
    Analyze the areas in code for functions of authentication, session management and data validation
    Identify un-validated data vulnerabilities contained in thecode
    Zero in on poor coding techniques that may be exploited to launch targeted attacks
    Evaluate security issues specific to individual framework technologies

The Smartsourcing Global Advantage

Domain expertise

Smartsourcing Global is the QA partner for leading product development companies across different segments, and helping them with functionality testing over many years. Our expertise enables us to handle complex projects from a wide range of domains and provide thorough testing services.

Manual as well as automated testing

Smartsourcing Global expertise in both manual and automated testing allows us to provide the most cost efficient solution depending on the complexity and size of the project.

Quick Turnaround

Often delays in application testing derail the product development timelines. Smartsourcing Global has dedicated teams of skilled testing engineers for Functional Testing so that testing is conducted without hindering the product development timelines of our clients.

Infrastructure & Expertise

Smartsourcing Global has an in house Real Devices Test Lab with devices/ machines of various versions and flavors, which enables our team of experts to simulate any situation and test the application. Our engineers take a deep dive into the product testing and strive to ensure the best quality with optimum utilization of the available resources.

Differentiators

  • Proven expertise in test strategy, planning and test execution techniques
  • An end-user focused approach
  • Superior test coverage
  • Identification of defects earlier in the development process
  • Efficient testing through the usage of best practices and best tools
  • Development of repeatable test plans to reduce testing time
  • Reduction of testing cycles, leading to reduced overall testing costs
  • Replicate and establish test environment of the client at our QA lab
  • Use of appropriate defect tracking systems to report issues (Eventum, Jira, Bugzilla, TestLink, Tracker, Test Director and more)

Tools Used:

  • Wireshark
  • Metasploit
  • Vega
  • SQLMap
  • Burp Proxy
  • Cookie Editor
  • Zed Attack Proxy
  • Source Code Analyzers