One of the gravest concerns for modern companies in current times is security testing. However, security testing often remains one of the least understood and well-defined testing activity for modern testers. Web security testing requires domains of expertise beyond traditional software testing in order to execute complex tasks and is, therefore, a skill in great demand in the industry. This article discusses some key concepts applicable to security testing and is intended to be a primer for beginners and professionals alike.
Defining Computer Security
Computer security is a combination of many protective measures taken to ensure the safety of the data and resources of both the owners and the users of computer systems. Computer security is twofold: It involves keeping private information safe and preventing loss of resources. Computer security concerns include active attacks from external sources, internal abuse, and inadvertent loss of information. Typically, security threats come from one or more of the following places:
- Software and hardware errors and failures
- Human errors and failures
- Environmental failures, such as poor security for the physical environment, loss of electric power and natural disasters
- Ongoing changes to the systems.
Web Testing Goals and Responsibilities
The main focus of our goals as testers should be testing the Web site and Web application security at the application level. It means that we should seek out vulnerabilities and information leaks caused primarily by programming practice and, to a certain extent, by misconfiguration of Web servers and other application-specific servers. We should test for the security side effects or vulnerabilities caused by the functionality implementation. At the same time, we should also test for functional side effects caused by security implementation.
Specifically, the following areas should be considered as testing responsibilities:
- Test the security prevention implementation. Seek out vulnerabilities and various means to exploit them so they can be fixed.
- Test the security detection implementation. Help determine the information that should be logged and mechanisms to track; alert and trap suspicious activities.
- Test the requirements and designs.
- Test the code and programming practices.
- Test interoperability with third-party components with a specific focus on known vulnerabilities.
- Test for misconfiguration.
- Test the deployment.
- To a certain extent, do penetration testing.
Key Aspects of Web Security Testing
Backdoors
Backdoors are created by the developers to facilitate debugging and troubleshooting. Unfortunately, it is not uncommon for backdoors to be left in the production code, thereby introducing security risks. For example, a backdoor that allows the user to go directly to the application without any form of authentication can be a dangerous problem. Check to make sure that all backdoors are closed in the production release.
Exception Handling
Programs often contain exception-handling code to deal with unexpected events or errors. What is the correct way to handle these exceptions?
- Sometimes the program should fail silently. For instance- the program may be able to ignore extra data sent to a buffer.
- Other times, the condition causing the exception needs to be reported so that the user can decide on an appropriate action to take, such as failure finding a DNS entry for a Web site.
- Sometimes, the error also needs to be logged so that the system administrator can later determine the cause of problems.
Some failures may require immediate notification to the owners of the application. As a tester, you need to understand which response is correct for each condition. Then you can build test cases to make sure the logic is implemented correctly.
ID and Password Testing
When it comes to ID and password testing, follow these guidelines:
- Check for the misuse of superuser accounts- For the sake of convenience, your developers might inadvertently use this account to procrastinate in completing a thorough design and implementation for dealing with access rights and permissions. A major principle of security design is to give users (including your application as a user) the minimum amount of access such that they can perform required tasks but are prevented from performing illegal operations.
- Look for IDs and passwords “in the clear” when connecting to and accessing servers, directories, databases, and other resources- These are potentially hard-coded in Active Server Pages (ASP), Java Server Pages (JSP), or a configuration data file stored in an insecure location. If an ASP, JSP, or configuration file that stores the hard-coded ID and password can be retrieved, the danger is imminent. However, retrieving the files can be done in several ways.
Testing for Information Leaks
To test for information leaks, follow these guidelines:
- Test for comments in the HTML code that might reveal user ID and password information, code paths, or directory and executable file names.
- Test for error messages that reveal server name, root directory name or other pertinent information about the servers.
- Check to make sure that the directory browsing option on the Web server is turned off.
- Check to ensure that Access to Source configuration on the Web server is turned off.
- Check to ensure that the ‘write privilege’ to the local path is blocked.
Testing for Buffer Overflows
Testing for buffer overflows requires testing everywhere a buffer is used. Most commonly, buffers are used to store inputs before they are processed by your application. Each of these inputs may have a buffer to hold data, and not all buffers are immediately obvious. For example, data returned from a database inquiry may be buffered. The goal of testing for a buffer overflow is to show that sending too much data to the program will cause the program to behave in an unexpected manner.
Conclusion
Keeping up with new technologies and vulnerabilities they introduce is a challenge for every tester. However, following the above guidelines and keeping up with the available tools and their applicability and usefulness in supporting the software security testing effort would help testers in preparing against security breaches.