© 2011 systemsecurityandtest.com security testing who, what, when and how of security testing heidi...
TRANSCRIPT
© 2011 systemsecurityandtest.com
Security Testing
Who, What, When and How
of Security Testing
Heidi [email protected]
© 2011 systemsecurityandtest.com
Quick Info Bathroom breaks Phones calls
Silence or Vibrate Take the call if needed – please step out
Snacks Sugar boost in center of your table Go get a drink if you need one
Ask questions to me & each other!! “It depends” Ask me….why or why not? I will tell you if I don’t know!!!!
© 2011 systemsecurityandtest.com
Professional Stuff
Me A Poll
Interactive = means we ALL participate
Get on with it Heidi…
© 2011 systemsecurityandtest.com
Who, What, When and How of Security Testing
Definition of Security Types of threats & attacks CIA Hacker vs. Cracker vs. Tester vs. Script Kittie Access Control Authentication SQL Injection XXS Cookies
© 2011 systemsecurityandtest.com
Windows 98 ‘Blue Screen of Death’
© 2011 systemsecurityandtest.com
Toyota Blames Prius Brake Software
Toyota said that a software “glitch” is to blame for brake problems.
Toyota found some parts weren’t being tested as rigorously as thought.
© 2011 systemsecurityandtest.com
D-Link Router Design Error D-Link DIR-300 WiFi Key Security Bypass Vulnerability The D-Link DIR-300 wireless router is prone to a security-bypass
vulnerability. Remote attackers can exploit this issue to modify the WiFi key and
possibly other configuration settings. Successful exploits will lead to other attacks.
© 2011 systemsecurityandtest.com
Signing Off
Remember “Signing Off” on software?
……and then IT BLOWS UP!!!
© 2011 systemsecurityandtest.com
What’s going on in the world?
Nasdaq Twitter Michael Jackson Gmail (cloud computing) EC-Council Webinar Costco…Really???
© 2011 systemsecurityandtest.com
True/False?
“Software can be correct without being secure.”(1)
It’s cheaper to let System Admins deal with security.
MORE
© 2011 systemsecurityandtest.com
Rebuilding Trust
© 2011 systemsecurityandtest.com
Types of Functional Testing
White Box Black Box Grey Box Unit Integration System Regression Acceptance
Verification Validation Static Dynamic Smoke User Acceptance
© 2011 systemsecurityandtest.com
True or False?
Definition of SECURITY+
Definition of TESTING=
Security Testing ??
© 2011 systemsecurityandtest.com
What is Security?
You first!
This is the interactive part that I referenced earlier
© 2011 systemsecurityandtest.com
Different Definitions
Referring to: Business
Career Home Bank Banking Website Family Children Property Car
Software Hardware Safety Credit Cards Country
Many more…
© 2011 systemsecurityandtest.com
Definition of SECURITY
1. Freedom from risk or danger; safety
2. Freedom from doubt, anxiety, or fear; confidence
3. Something that gives or assures safetya. A group or department of private guards
b. Measures adopted by a government to prevent espionage, sabotage, or attack
c. Measures adopted to prevent escape
4. Computer Science. a. The level to which a program or device is safe from unauthorized use.
b. Prevention of unauthorized use of a program or device.
© 2011 systemsecurityandtest.com
Just out of Curiousity
What does security testing mean to you or your company?Is QA and development included?Does QA management know?Who performs security testing?Who is responsible in your organization for testing application
security? Manual or automated?Do you know what’s being tested?How many of your requirements include security functionality?How many of you have test cases that specifically addresses
security?
Again, this is the interaction piece discussed earlier.
© 2011 systemsecurityandtest.com
Fundamental Principles of Security
3 main principles:C – Confidentiality
I – Integrity
A – Availability
CIA (AIC, CAI, IAC, ICA) triad
© 2011 systemsecurityandtest.com
CIA
Confidentiality – has anyone else been able to read your document
Integrity – has anyone else been able to change your document
Availability – has anyone else been able to access your document
© 2011 systemsecurityandtest.com
Threat vs. Vulnerability
Threat – an indication, circumstance, or event with the intent and capability to cause loss of damage to an asset
Vulnerability – a weakness that can be exploited
© 2011 systemsecurityandtest.com
Where is Risk?
Assets
ThreatsVulnerability
© 2011 systemsecurityandtest.com
Security Terminology, Threats, Attacks and People Hacker Cracker Script Kiddie Vulnerability Threat Social Engineering Phishing Vishing Viruses Worms Trojans Cross Site Scripting (XXS) Keyloggers Rootkits
Spyware Adware Logic Bombs Denial of Service Spamming Hoaxes Port Scanners Password Crackers Boot Sector Virus Attack Corrupted Registry Buffer Overflows Dictionary Attacks Cookie Manipulation SQL Injections Etc, etc, etc
© 2011 systemsecurityandtest.com
Titles/Roles - WHO
Hacker – hired by companies to help identify vulnerabilities
Script Kittie (a.k.a Skittie, Script bunny) – annoying people playing around
Cracker – methodically attack for a purpose people exploiting the threats
Let’s talk about these people.
Tester - ????
© 2011 systemsecurityandtest.com
Worm Vs. Virus - WHAT
Used interchangeably. Same? or Different?
Virus – small application or string of code that infects application
REQUIRES host application to do this!
Worm – different than viruses – they Do Not Need a host application – they can reproduce on their own.
© 2011 systemsecurityandtest.com
Trojan & Buffer Overflow – WHAT
Trojan a program disguised as another program. normally deletes or replaces system files. commonly leaves backdoor to allow re-entry.
Buffer Overflow Too much data are accepted as input to an
application. Buffer is allocated only so much memory
© 2011 systemsecurityandtest.com
SQL Injection - WHAT
SQL Injection - when user input is either incorrectly filtered for string literal characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed
© 2011 systemsecurityandtest.com
Social Engineering - WHAT
What is it?
Let’s talk, shall we?
© 2011 systemsecurityandtest.com
Examples of Social Engineering Brief Chit-Chat Conversation Play dumb Shoulder surfing Emailing with questions Contacting help desk Flash!!
Manipulation, trickery, deception
© 2011 systemsecurityandtest.com
Game Time
Rules for each table:
Each table will have a list of definitions. The table must tell us:
1. Who
2. What
3. How
© 2011 systemsecurityandtest.com
Access Control - HOW
Definition – Controlling Access? Yes!!!
The ability of a subject to interact with an object.
e.g. subject: person, process, computer)
© 2011 systemsecurityandtest.com
Models of Access Control
Discretionary Access Control - DAC Mandatory Access Control - MAC Role-based Access Control - RBAC Rule-based Access Control – RBAC
Why is this important?
© 2011 systemsecurityandtest.com
Methods of Access Control DAC and MAC was used by the military to describe two different ways to control
access to system and objects.
Discretionary – owner of the object decides who gets permission to access it
Mandatory – owner does NOT decide who has access. Operating system decides access based on sensitivity of object. Ex. Clearance in Military. This does not mean that everyone who has Top Secret Clearance has access to everything marked Top Secret. Also implemented is the “need to know” principle.
Role Based – system admins set this up based on the role(s) you are playing in a project.
Rule Based – system admins set this up based on the rules of the project e.g. no employees may access payroll files on weekends and after 6 p.m. on weekdays.
© 2011 systemsecurityandtest.com
Authentication - HOW
Definition - Verifying the identity of the subject
That’s all Authentication should confirm!!
© 2011 systemsecurityandtest.com
Access Control vs. Authentication?
1. Change the pages the user sees
2. Log in with username/password
© 2011 systemsecurityandtest.com
Authentication Testing - HOW
Minimum testing:
1. Correct username and password
2. Incorrect username and correct password
3. Correct username and Incorrect password
4. Correct password and empty username
5. Correct username and empty password
Are all of you at least doing this?
© 2011 systemsecurityandtest.com
Authentication Testing - HOW
6. Secure login – make sure when you are logging into an application you see HTTPS in address bar.
© 2011 systemsecurityandtest.com
Authentication Testing - HOW
7. Message testing – malicious users can find out a whole bunch of information from messages
Incorrect
combination
of username
and password
© 2011 systemsecurityandtest.com
Authentication Testing - HOW
8. Logout then press Browser <Back> button.
Capture URL via Print Screen
© 2011 systemsecurityandtest.com
Authentication Testing - HOW
Session Timeout –
Login with active username and password
Go to lunch or have some soda
Time how long the session is live
What is correct?
When does the session finally die?
© 2011 systemsecurityandtest.com
Authentication Testing – HOW
9. Bookmark page –
login to application
navigate to another page in application
bookmark the page
logout application
Go to bookmarked page
© 2011 systemsecurityandtest.com
Authentication Testing - HOW
10. Change the ID to an ID of another account
WHAT??
When browsing in the application
1. look for ID in header or in URL specifically related to your application ID
2. try to change it to something else
Story – I read about this in Security Act’s magazine.
Security Acts Issue 4
© 2011 systemsecurityandtest.com
Authentication Testing - HOW
11. Different browsers accessing at same time1. Copy user information into new
browser2. Copy url to new browser AFTER
application has been opened in another browser.
Don’t just use another tab in the brower, try Firefox or Chrome. If possible send url to a different computer.
© 2011 systemsecurityandtest.com
Authentication Testing - HOW
12. Manipulate URL after login
1. delete id’s one by one
2. continue browsing the application
3. breaking down the url in to “pieces and parts”
© 2011 systemsecurityandtest.com
Authentication Testing - HOW
13. How many times can I type the incorrect password before being locked out?
Susceptible to brute force attack
Crucial:
14. What are the consequences of being locked out?
Lockouts have caused some companies to become unavailable. This would be bad.
© 2011 systemsecurityandtest.com
Authentication Testing - HOW
15. There was a study a couple of years ago (2009) that brought to light the number of companies that keep default passwords for: Applications Firewalls O/S Security Software Etc….
© 2011 systemsecurityandtest.com
Authentication Testing – HOW
Test Default Values Test/Test Guest/Guest Test1234/Test1234 Admin/Admin Training/Training Training1/Training1 ……/password
© 2011 systemsecurityandtest.com
Authentication Testing – HOW
16. SQL Injection
simplest: 1’,or ‘1’=‘1’
1. Type this into your password field and username = admin.
2. if it works then this is bad! User often ends up with administrator
© 2011 systemsecurityandtest.com
Authenication Testing Game
Rules:
Object of the game
© 2011 systemsecurityandtest.com
Common Fields in Database
email passwd login_id full_name
Don’t ask for a list of fields in the database! Guess! Use your experience to guide you.
Sql injections by examplehttp://unixwiz.net/techtips/sql-injection.html
© 2011 systemsecurityandtest.com
Cookies - HOW
Simpliest Definiton: A small ASCII text file used in HTTP exchanges between a browser and web server, commonly stored on the hard drive.
Session Cookies Tracking Cookies
Does your application use them?Do you test them?
© 2011 systemsecurityandtest.com
Issues with Cookies - HOW
Easy for spyware to read them Many applications require you to accept third-
party cookies Sessions may not expire as expected May include sensitive information – possibly
allowing access to secure site If using HTTP can be hijacked by malicious
user
© 2011 systemsecurityandtest.com
Testing Cookies - HOW
Test using Mozilla – stores all cookies for you to view.
© 2011 systemsecurityandtest.com
Cookie - HOW
© 2011 systemsecurityandtest.com
Convincing Management of the Importance - WHEN
Show manager the list of threats & attacks Explain this is only a partial list Recommend adding line item under QA for
security testing Let Project Manager cut it base on time
constraints
© 2011 systemsecurityandtest.com
More time for QA?? - WHEN
“We are going to give you an extra week….because we think you are SWELL and you to include security testing!!!”
How often does that really happen?
NEVER!!!!
© 2011 systemsecurityandtest.com
Justifying testingJoanna Rothman
© 2011 systemsecurityandtest.com
Cost to fix defect during different times in a project
© 2011 systemsecurityandtest.com
How YOU can implement
Add this to your annual goals Build security test cases in your projects as if
you have always done this testing Add security testing to your test plan Build it as a separate section or appendix in
your test plan
© 2011 systemsecurityandtest.com
Let’s Be VERY Clear!!
Testing Security
is not the same as
Testing Functionality.
© 2011 systemsecurityandtest.com
QUESTIONS???
© 2011 systemsecurityandtest.com
References