Embed Size (px)
Citation preview
white
SECURITY TESTING WHITE PAPER
Contents:
Introduction ..............................................................................................................................................................................................3
The Need for Security Testing ................................................................................................................................................................4
Security Scorecards ..................................................................................................................................................................................5
Test Approach ........................................................................................................................................................................................ 11
Framework ............................................................................................................................................................................................. 16
Project Initiation Process ..................................................................................................................................................................... 17
Conclusion .............................................................................................................................................................................................. 18
Our Expertise ......................................................................................................................................................................................... 19
Appendix ................................................................................................................................................................................................ 20
References ............................................................................................................................................................................................. 21
Introduction
Applications or networks always have security leaks which can cause severe damage to companies and lose
important data due to these being open to outside world. Application/product security often relate to business-critical
information because these require high level of security.
But, with considerably less time in delivering the applications/products, thorough security audit and security
assessments are often omitted. Because of these security flaws, organizations can go into legal exposure and there
could be life ending situation also. Security testing and auditing with proper analysis is necessary and critical in
eliminating most of the software flaws.
This paper outlines a framework created by ZENQ team and on how security testing takes place in order to establish
a strategy and approach by following industry standards
.
The Need for Security Testing
Implementing information security measures are becoming more difficult due to the huge number of possible
information security threats connected to the use of the Internet.
Table below describes the % of vulnerabilities across different industries with average number of days to fix the
issues
Figure 1. The Current state of Web Site Security Sorted by industry
Security Scorecards
MOST COMMON VULNERABILITIES
The below figure depicts the most prevalent vulnerability classes calculated based on the percentage occurrence of
at least one instance being found within any given website
When Information Security measures are implemented, application should be tested for external intrusion issues using methods like:
XSS (Cross site scripting)
Failure to restrict URL access
Insecure Direct Object Reference
Cross Site Request Forgery
Direct SQL code injection in the web page
SQL injection in the site address (url sql injection)
Password cracking using decryption systems
Guessing the web site session id (session prediction)
Buffer overflow
In general there are four basic security requirements which need to be addressed:
Confidentiality: Unauthorised users are restricted from viewing the sensitive information.
Integrity: Only authorized users or processes are permitted to modify data.
Availability: Availability is a requirement that is often neglected when thinking about security. However, productivity of users
decreases dramatically if network-based applications are not available or too slow because of denial-of-service attacks. If, for example, a web-based e-learning system is slow, users do not only require more time to do their work, but they also become frustrated, increasing the negative effect on productivity.
Non-Repudiation: Users are unable to deny having carried out operations. For instance, whenever grades of students are
changed, it must be possible to reliably trace who has performed the modification
To overcome these attacks, early and frequent security analysis is needed
At ZENQ we perform comprehensive test to make sure that Confidentiality, Integrity & Availability of the application are protected against
Security breaches, with our specially designed test approach
Test Approach
In order to combat the security threats in applications, the security testing has to be conducted so that appropriate measures can be taken
to eliminate vulnerabilities before they are exploited.
The Security testing specialists here at ZenQ, have come up with a structured approach for security testing .Our approach is based on
industry wide standards, best practices and methodologies such as OWASP, WASC, SANS & NIST.
Indicated in the Figure1.1 below of the security testing methodology that we follow to minimize the risk of security breach and improve the
security stature of the applications under test (AUT) and the phases are briefly described subsequently.
Figure 1.1: Process Flow
Phase 1: Threat Modelling
The initial phase of conducting penetration testing would include threat modeling of web/mobile applications i.e. to identify threats, attacks,
vulnerabilities and countermeasures that could affect the application.
The process is two-fold:
Define Scope:
We begin by gathering information below about the critical assets, target applications from client expectations document and
then conduct further evaluation to define scope (Important assets/functionalities and their relative values, Areas of concern to
the assets known vulnerabilities, if any) for the testing effort.
Threat Profiles:
The next step is to list out all the possible threats to the application. In addition, also determine possible goals of the adversary in
attacking the application, which in turn would assist in identifying the vulnerabilities that exist as a result of these goals. The
identified threats are classified using the STRIDE model and thread profile is created.
The Threat profile created will include the following attributes:
Asset – Critical functionality/feature of the application under test
Actor - Who or what may violate security requirements such as confidentiality, integrity and availability of an asset
Motive (optional) – Indication of whether the actor’s intentions are deliberate or accidental
Access control – How the asset (functionality/feature) will be accessed by the actor
Outcome – Immediate result of violating the security requirements of an asset i.e. disclosure, modification, destruction,
loss, interruption etc.
Phase 2: Test Plan
Once the Threat model is reviewed and established, we move forward with the test planning. A detailed test plan will be created will
cover overall strategy in execution, deliverables, test cases and effort to conduct penetration testing.
Test Strategy:
Test Strategy included as a part of the Test Plan, describes the scope, approach, resources and schedule for the testing
activities of the project. It also includes defining what will be tested, who will perform testing, how testing will be managed, and
the associated risks and contingencies.
Test Design:
The Probability of occurrence of the event & Risk associated with each occurrence are taken into account when designing the
Tests.
Test cases:
Once the threat profile is ready, the attack techniques to try out are determined, For each threat in the threat profile, we list down
all the possible ways of realizing it. For example, we can try to view another user’s account information by either an SQL injection
attack or by manipulating the request variables or by accessing the information from the browser cache.
The complete list of exact test cases that will be tried out for each threat are included as a part of the Test plan. Each test case
will specify the page and the variable where the test will be tried out. This detailed test plan serves an important purpose: it
ensures a thorough test is carried out and that no attack vector for any threat is left unexplored.
Each Test case will be comprised of the following:
Threat scenario
Pages/functionalities for which threat will have affect
Associated attacks to be performed for each threat scenario
Phase 3: Test Execution
With the complete test plan reviewed and agreed upon with the client, the penetration software testing activity will be carried out by
executing each test case from the test plan. As each test case is executed, there may be a need for more tests to confirm the results.
Test Execution includes:
Identification of vulnerabilities based on the attack performed,
Exploitations,
Exfiltration of data, if any
Phase 4: Result Reporting
Upon completion of the test execution, root cause analysis will be done and recommendations on how vulnerabilities can be addressed will
be determined. Detailed reports will then be prepared, based on which the application can be secured.
Following are the reports are provided to the client upon completion of the Testing:
Technical Review Report :
Along with the vulnerabilities observed, the report also has the details of the impact it would have on the business, ease of exploiting
it and risk rating. It also describes how the exploit was carried out with steps and screenshots wherever required and
recommendations on how the vulnerability can be fixed.
Executive Review Report :
A high level report which describes about the process followed in security testing and would also have risk rating of the application
from the business perspective. The Risk Rating Matrix that we utilize for ranking the risks is described in the Appendix.
Framework
The framework consists of set of components that combine to achieve the structured approach for conducting security tests efficiently and
effectively. The logical architecture and set of underlying components of the framework that combine to achieve the structured utilized by
ZENQ’s Security test team is depicted in the Figure below and the components are briefly explained subsequently.
Project Initiation Process
Initial Call
• Discusses about the Security Testing Service Offering
• Understands the client requirements
Test
Proposal
• Creation of security test proposal
• Submit the security test proposal for client's approval
Penetration
Tests
• Understands the functionality of the application and creates Threat modeling sheet
• Perform vulnerability assessment using manual and automation tools
• Exploit the vulnerabilities
Reports
• Create comprehensive audit report with vulnerabilities identified and suggestion on how to resolve these vulnerabilities
• Compliance certificate that adheres to security standards
Conclusion
This paper elucidates the current challenges faced by applications built across different industries and need for security testing in this
area. We’ve reviewed the current categories, criteria and approaches for security testing to conduct security testing of applications
pertaining to various industries.
We believe that with our approach, based on industry recognized OWASP guidelines, our clients will be able to thwart and remediate
vulnerabilities, which pose serious risk to the applications if not avoided, ensure that compliance with banking, financial and other
relevant standards is met and perform their transactions and maximize the return-on-investment.
Our Expertise
ZenQ’s Security testing team effectively uses the process to identify threats and conduct penetration tests much like an attacker would do.
Our Areas of Expertise include:
Web Application Penetration Testing
Web Services Security Testing
Mobile Application Security Testing
External Network Security Testing
Internal Network Security Testing
Secure Code review
Appendix
Risk Rating Matrix:
RATING DEFINED AS
CRITICAL Serious vulnerabilities that have been exploited or are highly likely to be exploited and/or significant deficiencies in
design, implementation or management identified.
HIGH RISK Vulnerabilities discovered with moderate likelihood of exploitation and/or at least one significant deficiency in
design, implementation or management identified.
MEDIUM RISK Vulnerabilities discovered with moderate likelihood of exploitation and/or multiple deficiencies in design,
implementation or management identified.
ELEVATED RISK Vulnerabilities discovered with low likelihood of exploitation and/or minor deficiencies in design, implementation or
management identified.
LOW RISK No vulnerabilities or deficiencies in design, implementation or management. All patches and service packs have
been applied.
References
http://www.us-cert.gov/ncas/bulletins/SB11-108
http://repositonum.sdum.uminho.pt/bitstream/182272378//1/DCA1J%20-%20MR.pdf
http://www.ibm.com/developerworks/security/library/s-overflows/ http://www.mcafee.com/in/mcafee-labs.aspx
ZENQ is a Pure Play Testing Services Company based in India. Our highly competent IT Professionals,
Domain experts, combined with industry best practices & our investments in state-of-the-art technologies
made us a dependable and long-term IT service partner to all our clients.
For more details, visit our website – www.zenq.com, OR send us an email at [email protected]
