Security testing is one of the most important types of software testing that focuses on finding out vulnerabilities or weakness in the information system. Objective of Security testing is getting vulnerabilities identified and getting them plugged before they are exploited by unauthorized users or malicious programs.
Information system includes all the software, hardware, Operating system, network, Database, configuration and most important “data”.
Security testing is not just about finding security holes in the software application alone; instead it is about testing entire information system as a whole for vulnerabilities or weakness that can be exploited.
Security can be implemented using one more combinations of security measures like Security Policy, Physical, mechanical, electronic or through Software. Security testing would mean testing each of these security measures finding weakness and making it more robust.
Implementing Security measures :
Implementing Security measures starts with a proactive approach of identifying probable security risks, preparing threat profile, identifying preventive measures and applying appropriate security systems to prevent, monitor, detect and neutralize security threats. Once the Security systems are in place, monitor, detect and neutralize threats on an on going basis. IT security usually relies on automated systems and is usually sophisticated as the threats are more of virtual than physical.
1) Prevention – Identify Security risks and build threat profile.
2) Monitoring and Detection
3) Neutralize Threats
4) Upgrade Prevention measures or security policies over period of time.
What is vulnerability?
Vulnerability is a weakness or security hole in information system using which an attacker can gain access, damage, misuse, modify or disrupt part of or entire information system. Focus of Security Testing would be to identify all the vulnerabilities and get them plugged.
Vulnerability window refers to the time duration for which security hole existed i.e. from the time it was introduced till the security hole was plugged and security threat was neutralized. Greater the Vulnerability window, greater is the probability of attackers exploiting the security hole.
IT (Information technology) and Security
Security requirements in IT (information technology) can be broadly classified as “Application or Software Security”, “Data Security”, “Information Security”, and “Network Security”.
Application or Software Security:
Application Security focuses on different stages of SDLC (Software Development Life Cycle), process, tools and deliverables that can lead to application or software vulnerability or weakness.
Data Security focuses on policies and methods that will help prevent intentional or accidental damage, access or misuse of data by authorized or un- authorized users or programs. Data Security primarily focuses on “Backup”, “encryption”, or “masking” of data.
Data may be or may not be in human readable or understandable form, like Binary data that cannot be understood by human being. Where as “information” is summary and presentation of data in a way that can be read, understood by a human and that helps in decision making.
Information security focuses on protecting information from unauthorized access, misuse, modification or damage. Information security is usually thought as an alternate name of IT Security. However, Information Security is applicable for IT and Non IT as well, you might recollect seeing documents or files labeled as “Top Secret”, “Secret” or “Confidential”.
Three principals of Information security are Confidentiality, Availability and Integrity.
refers to level of access, access rules are defined and access restrictions are in place. E.g. Top Secret information is accessible to VP and above.
means information is available when needed and is accessible for authenticated and rightful users.
means information presented is correct and consistent through out.
most of the information systems are accessed over network be it internet or intranet. Network security refers to monitoring and preventing unauthorized use or misuse, neutralizing threats on the network. Most of the network security issues are due to hackers or bots or worms and malicious software that try to intrude into the network.
Who is responsible for Information Security?
Every stakeholder who is involved in any of the SDLC (Software Development Life Cycle) phases right from conception phase till Decommissioning of the information system is responsible, this includes end users using the information system as well. However organization’s Information system security department and CSO (Chief Security Officer) are accountable for information system security. They are the ones who make the policies, identify security risks and prepare mitigation plan, propose adoption of industry security standards for the organization, educate users and stake holders of the organization about security policies and security measures adopted by providing appropriate trainings etc.
Why Security Testing is required?
Security Testing might seem like one of the software testing types that does not add value to end users and hence less important OR a type of investment with less or no ROI (Return on Investment). In reality, Security Testing is the key to existence and success of any Business.
Security testing is needed for most of the applications; however the extent of Security testing required depends on the security risks, complexity of the software, exposure to threats and accessibility. All applications related to finance or military domain or web applications are usually at high risk and these applications have to be rigorously tested for Security flaws.
In the last two decades, organizations have realized importance of Security testing as Governments have brought in regulations to ensure organizations provide required confidentially, security and privacy to customer data.
US federal and state legislators have brought in certain regulations related to information security like Sarbanes-Oxley, HIPAA (Health Insurance Portability and Accountability Act), Payment Card Industry Standard (PCI), and FISMA (Federal Information Security Management Act).
Below are some of the reasons why security testing is important.
1) Downtime: Most of the security flaws lead to service downtime and loss off revenue. Think about a popular Telecom website going down for about 1 day, it can lose revenue, customers, credibility and breach of SLAs which in turn can lead to penalties.
2) Legal Issues: Security issues can lead to legal issues and complications. Think about an insurance system being hacked and SSN (Social Security Number) of company’s customers being posted on a forum. Customers are going to sue the company for such incidents. Such incidents can lead to legal issues and penalties.
3) Brand Damage: With frequent downtime or leakage of confidential information reputation of the company can be damaged severely and can lead to loss or shutdown of business.
4) Cost: Cost of every security issues exploited is several folds greater than the cost identifying and fixing them during development and Software Testing phases.
Seven attributes of Security Testing
identification of a person or user or a program before accessing information system. Authentication can be implemented by using various means like User id & Password or Secret Questions and answers or biometric authentication or Token (e.g. RSA SecureID token) or even one time/temporary password sent as SMS. Some of the application may use one or more combinations of authentication methods.
once a user or program is authenticated, information system should limit access as per the privilege or permissions set for the user or program. Authorization is usually implemented with a Access control list OR by Categorizing users into groups and define privileges and restrictions for each of the groups OR granting or revoking privileges for individual users.
refers to information system’s ability to protect information or data from Un-authorized or less privileged users.
Information system should protect confidentiality of the information at all the stages of information processing, storage and display.
Confidentiality in an information system is enforced by defining User Groups, privileges, restrictions and usage of encryption. e.g. sensitive information like passwords, SSN (Social Security Number) etc., that are stored in database should be encrypted and should not be stored as plain text because confidentiality of the data or information needs to be protected. Database administrators or developers having access to database should not be able to see information or data to which they are not authorized to view.
availability of information system may not seem to be related to security testing, however exploited systems can face huge downtime and also security patch upgrades should be confined to minimal downtime. Downtime can be due hardware and natural disasters as well. Availability refers to accessibility of the information system and its services when required to be used by authorized users. Most of the information systems usually have primary and fail over sites, when a primary site is down, then service requests are re-directed to fail over site, there by service are provided even when primary site is down or when it’s being patched. E.g. if a website is being used by customers across many countries then the expected availability would be 24X7. Similarly, a trading site is expected to be available for particular time of the day for public use, say 9 AM to 3:30 PM.
refers to reliability, consistency and accuracy of the information presented by the information system to its users. Information presented to users should be as per user groups, privileges and restrictions.
means confirmation sent by receiver to sender that the requested services or information was successfully received as Digital confirmation e.g. Digital Certificates, this not only serves as acknowledgement but also helps to validate both sender and receiver is genuine.
refer to resistance to attacks; resilience can be built into information system using encryption, using SSL, extended authentication like use of one time password, 2 layer authentication or token.
Security Testing process:
Below are the broad steps involved in Security Testing planning and execution for any given information system.
- Understand business objective and security goals of the organization. Organization might have planned to achieve PCI compliance etc., so these have to be factored in your security test plan.
- Understand requirements of the application.
- Understand how information system is setup like hardware, Operating Systems, technology used for development of Software and Network.
- Identify Security Risks and vulnerabilities.
- Prepare Threat profile.
- Prepare Test Plan to address test Security risks, vulnerabilities and threats identified.
- Prepare traceability matrix for each of the risks, vulnerabilities and threats identified and to be tested.
- Identify Security testing tools required. All the security tests cannot be done manually, so usage of security testing tool might become a necessary. Also, usage of tools will help to execute Security Tests faster and more reliably.
- Document Security tests.
- Execute Security Tests and retest defect fixes.
- Execute Regression Tests.
- Prepare Security Test report detailing risks, vulnerabilities and threats contained and the ones which are still open.
Type of tests to perform during Security Testing ?
Below is the list of different types of Tests carried out a part of Security Testing.
Usually application takes input from user on GUI and builds SQL query at run time.
Port scan is done to check if there are any port open with need, port scan alone does not expose vulnerability, however it is the starting point for further tests like vulnerability Scan.
means scanning information system (software, OS, Database, application server, web server, Network etc.) for weakness and know security bugs that can be used to gain access or disrupt services or destroy data. Vulnerability Scan usually includes port scanner, Network, Database and web application vulnerability scanners. Vulnerability Scanners are usually automated; these programs could be written by ethical hackers or can be off the shelf software.
Session ids created should be Random and long alphanumeric string that is hard to guess rather than just incremental numbers. Sequential session ids or Simple session id format results in weak session management.
Application should be designed not to store sensitive information in browser cache. Like your Bank account details or SSN (Social Security Numbers) etc., as these information can be viewed by simply viewing browser history in “Offline” mode.
Getting access to Database is usually the primary goal for most of the hackers as they know that most of the information they are looking for is stored in the database.
- Confidential data stored in the database should always be masked or encrypted like SSN, Credit Card numbers, Passwords, Salary etc.
- All the passwords of default database user ids should be changed. Most of the hackers start looking for User ids that have default passwords when they want to hack databases.
- IP restrictions to connect to database should be enforced. E.g. only application servers and IPs of administrator PCs should be allowed to connect to database. This will restrict unauthorized users from trying to connect to database directly over internet or intranet.
Classification of Hackers:
Hackers are classified based on their type, motive and experience. Hacking itself cannot be considered to be bad, what makes it bad is the motive behind hacking.
also referred to as white hat hackers, are the ones who are interested to break into a information system to expose the weakness or vulnerabilities and they do not have any intention of misusing or causing damage. Security testers are indeed ethical hackers.
are the most experienced and skilled people, who exploit, misuse or even destroy information systems for their personal gain (usually for money). Most of the Black hats usually end up getting involved in cyber crimes.
is a word derived from two words “Hacking” and “Activist”, these are people who do not hack information systems for money or personal gain, they hack information system because of their ideology or religious beliefs or for a social cause. They usually try to bring down the information system or alter website content to post their message or try to make it temporarily unavailable.
Script kiddies or script junkies:
are hackers who are less knowledgeable in hacking and they mostly rely on scripts or software’s written by other experienced hackers. Most of the script kiddies try hacking for fun.
are programs written by experienced hackers which try to invade information systems and steal information and upload data to another server maintained by hacker.
Other Interesting Articles: