Security Testing

In the recent days I have been trying to explore a lot to understand the various aspects that need to be taken care of while performing security testing for software.

When asked what security testing is, a few naïve testers replied that Security testing is ensuring:

  • That the password is encrypted in database and any flat files.
  • That only the authorized user has access to the various modules and data in the software

Sure, Security testing is taking care of the above but there is much more to it that needs to be verified to ensure that the application is secure from the malicious attackers.

Besides the above, Security Testing should also focus on testing the
following basics:-

  • Authorized access to application and data
  • Data protection
  • Brute Force Attack
  • SQL injection and XSS(cross site scripting)
  • Directory Traversal


Software Security Testing


Authorized access to application and data:-

The application needs to be tested by first creating various users with different roles and permissions for the application. Then try to perform operations which a user does not have permissions to in the software, like performing edit/delete of data or viewing confidential data. The test needs to focus on how the software behaves for such operations and whether it provides necessary alerts to the users of the application. Well, it is not enough that the software just alerts the user regarding the permission, it is mandatory to keep a track of such operations by enabling logging, so that the admin of the application may be able to infer that there are illegitimate users who are trying to break the security of the software.

Data Protection

This is something every tester is familiar with – ensuring that the password is encrypted while entering the password in the application. Besides, it should also be encrypted in the database and all other places where it is stored. Well, Data Protection is not limited to just the password fields. It extends to many other aspects as well, like in a health-care domain where all patient related information is confidential, it is mandatory to ensure that all this information is encrypted in the database and also during storing them as flat files. Another example would be the in the financial domain. Though the verification has been made to check for encryption, the same should be applied for decryption, too.
Testers should also focus to see that the encryption/decryption algorithm used is difficult to crack instead of a very simple one, the latter making it a cake walk for an hacker who would be able see a pattern and giving him access to confidential data. Apart from the database and files, due attention also needs to be paid to the fact that data is not being passed as it is in the URL for any web applications.

Brute Force Attack

Brute Force attack is a means to try different combinations to identify the password of an authorized user. The attacker/hacker may try several combinations to crack the password. Hence some of the ways to test whether the application is secured against Brute Force Attack is to ensure that the password creation validates the strength of the password. That said, the strength of the password depends on the business needs. Next, it also needs to be ensured the application provides automatic alerts for the password to be changed once every 15 days. Finally, the account lockup mechanism should be implemented in an application after few (3-5) invalid login attempts.

SQL injection and XSS

One needs to be very careful while testing the application for SQL injection vulnerabilities. All the input fields to a website should not be so long enough that a malicious user could pass in a script to the input field. After having verified the length of the input fields, the tester should check if the application also verifies the format of some of the key fields which has the feasibility to have a special character which, in combination, could invoke other scripts. The tester needs to also ensure that the most common HTML, XML of
SCRIPT tags are not accepted as inputs to the fields.

Directory Traversal

Directory Traversal is a means by which an attacker may be able to gain access to the file system based on the input field values passed in the URL. Eg.- Filename.

Testers need to ensure that the application is protected against directory traversal attacks by verifying that the application validates the input correctly against a white list. Certain characters like “.” cannot be disallowed as it is, since this character may be required for a file name passing. It would
be best to validate the filenames with regular expressions so that we are sure that only the file name is being passed and the entire directory where the file resides is not being displayed in the web page.

For a start, I have written this article covering the basics of security testing only. I look forward to write on more advanced topics in the days that follow.

Tags: Testing
previous post: User Experience next post: Top 10 reasons on why you should move your application into cloud