© 2011 systemsecurityandtest.com security testing who, what, when and how of security testing heidi...

© 2011 systemsecurityandtest.com

Security Testing

Who, What, When and How

of Security Testing

Heidi [email protected]


Quick Info Bathroom breaks Phones calls

Silence or Vibrate Take the call if needed – please step out

Snacks Sugar boost in center of your table Go get a drink if you need one

Ask questions to me & each other!! “It depends” Ask me….why or why not? I will tell you if I don’t know!!!!


Professional Stuff

Me A Poll

Interactive = means we ALL participate

Get on with it Heidi…


Who, What, When and How of Security Testing

Definition of Security Types of threats & attacks CIA Hacker vs. Cracker vs. Tester vs. Script Kittie Access Control Authentication SQL Injection XXS Cookies


Windows 98 ‘Blue Screen of Death’


Toyota Blames Prius Brake Software

Toyota said that a software “glitch” is to blame for brake problems.

Toyota found some parts weren’t being tested as rigorously as thought.


D-Link Router Design Error D-Link DIR-300 WiFi Key Security Bypass Vulnerability The D-Link DIR-300 wireless router is prone to a security-bypass

vulnerability. Remote attackers can exploit this issue to modify the WiFi key and

possibly other configuration settings. Successful exploits will lead to other attacks.


Signing Off

Remember “Signing Off” on software?

……and then IT BLOWS UP!!!


What’s going on in the world?

Nasdaq Twitter Michael Jackson Gmail (cloud computing) EC-Council Webinar Costco…Really???


True/False?

“Software can be correct without being secure.”(1)

It’s cheaper to let System Admins deal with security.

MORE


Rebuilding Trust


Types of Functional Testing

White Box Black Box Grey Box Unit Integration System Regression Acceptance

Verification Validation Static Dynamic Smoke User Acceptance


True or False?

Definition of SECURITY+

Definition of TESTING=

Security Testing ??


What is Security?

You first!

This is the interactive part that I referenced earlier


Different Definitions

Referring to: Business

Career Home Bank Banking Website Family Children Property Car

Software Hardware Safety Credit Cards Country

Many more…


Definition of SECURITY

1. Freedom from risk or danger; safety

2. Freedom from doubt, anxiety, or fear; confidence

3. Something that gives or assures safetya. A group or department of private guards

b. Measures adopted by a government to prevent espionage, sabotage, or attack

c. Measures adopted to prevent escape

4. Computer Science. a. The level to which a program or device is safe from unauthorized use.

b. Prevention of unauthorized use of a program or device.


Just out of Curiousity

What does security testing mean to you or your company?Is QA and development included?Does QA management know?Who performs security testing?Who is responsible in your organization for testing application

security? Manual or automated?Do you know what’s being tested?How many of your requirements include security functionality?How many of you have test cases that specifically addresses

security?

Again, this is the interaction piece discussed earlier.


Fundamental Principles of Security

3 main principles:C – Confidentiality

I – Integrity

A – Availability

CIA (AIC, CAI, IAC, ICA) triad


CIA

Confidentiality – has anyone else been able to read your document

Integrity – has anyone else been able to change your document

Availability – has anyone else been able to access your document


Threat vs. Vulnerability

Threat – an indication, circumstance, or event with the intent and capability to cause loss of damage to an asset

Vulnerability – a weakness that can be exploited


Where is Risk?

Assets

ThreatsVulnerability


Security Terminology, Threats, Attacks and People Hacker Cracker Script Kiddie Vulnerability Threat Social Engineering Phishing Vishing Viruses Worms Trojans Cross Site Scripting (XXS) Keyloggers Rootkits

Spyware Adware Logic Bombs Denial of Service Spamming Hoaxes Port Scanners Password Crackers Boot Sector Virus Attack Corrupted Registry Buffer Overflows Dictionary Attacks Cookie Manipulation SQL Injections Etc, etc, etc


Titles/Roles - WHO

Hacker – hired by companies to help identify vulnerabilities

Script Kittie (a.k.a Skittie, Script bunny) – annoying people playing around

Cracker – methodically attack for a purpose people exploiting the threats

Let’s talk about these people.

Tester - ????


Worm Vs. Virus - WHAT

Used interchangeably. Same? or Different?

Virus – small application or string of code that infects application

REQUIRES host application to do this!

Worm – different than viruses – they Do Not Need a host application – they can reproduce on their own.


Trojan & Buffer Overflow – WHAT

Trojan a program disguised as another program. normally deletes or replaces system files. commonly leaves backdoor to allow re-entry.

Buffer Overflow Too much data are accepted as input to an

application. Buffer is allocated only so much memory


SQL Injection - WHAT

SQL Injection - when user input is either incorrectly filtered for string literal characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed


Social Engineering - WHAT

What is it?

Let’s talk, shall we?


Examples of Social Engineering Brief Chit-Chat Conversation Play dumb Shoulder surfing Emailing with questions Contacting help desk Flash!!

Manipulation, trickery, deception


Game Time

Rules for each table:

Each table will have a list of definitions. The table must tell us:

1. Who

2. What

3. How


Access Control - HOW

Definition – Controlling Access? Yes!!!

The ability of a subject to interact with an object.

e.g. subject: person, process, computer)


Models of Access Control

Discretionary Access Control - DAC Mandatory Access Control - MAC Role-based Access Control - RBAC Rule-based Access Control – RBAC

Why is this important?


Methods of Access Control DAC and MAC was used by the military to describe two different ways to control

access to system and objects.

Discretionary – owner of the object decides who gets permission to access it

Mandatory – owner does NOT decide who has access. Operating system decides access based on sensitivity of object. Ex. Clearance in Military. This does not mean that everyone who has Top Secret Clearance has access to everything marked Top Secret. Also implemented is the “need to know” principle.

Role Based – system admins set this up based on the role(s) you are playing in a project.

Rule Based – system admins set this up based on the rules of the project e.g. no employees may access payroll files on weekends and after 6 p.m. on weekdays.


Authentication - HOW

Definition - Verifying the identity of the subject

That’s all Authentication should confirm!!


Access Control vs. Authentication?

1. Change the pages the user sees

2. Log in with username/password


Authentication Testing - HOW

Minimum testing:

1. Correct username and password

2. Incorrect username and correct password

3. Correct username and Incorrect password

4. Correct password and empty username

5. Correct username and empty password

Are all of you at least doing this?



6. Secure login – make sure when you are logging into an application you see HTTPS in address bar.



7. Message testing – malicious users can find out a whole bunch of information from messages

Incorrect

combination

of username

and password



8. Logout then press Browser <Back> button.

Capture URL via Print Screen



Session Timeout –

Login with active username and password

Go to lunch or have some soda

Time how long the session is live

What is correct?

When does the session finally die?


Authentication Testing – HOW

9. Bookmark page –

login to application

navigate to another page in application

bookmark the page

logout application

Go to bookmarked page



10. Change the ID to an ID of another account

WHAT??

When browsing in the application

1. look for ID in header or in URL specifically related to your application ID

2. try to change it to something else

Story – I read about this in Security Act’s magazine.

Security Acts Issue 4



11. Different browsers accessing at same time1. Copy user information into new

browser2. Copy url to new browser AFTER

application has been opened in another browser.

Don’t just use another tab in the brower, try Firefox or Chrome. If possible send url to a different computer.



12. Manipulate URL after login

1. delete id’s one by one

2. continue browsing the application

3. breaking down the url in to “pieces and parts”



13. How many times can I type the incorrect password before being locked out?

Susceptible to brute force attack

Crucial:

14. What are the consequences of being locked out?

Lockouts have caused some companies to become unavailable. This would be bad.



15. There was a study a couple of years ago (2009) that brought to light the number of companies that keep default passwords for: Applications Firewalls O/S Security Software Etc….



Test Default Values Test/Test Guest/Guest Test1234/Test1234 Admin/Admin Training/Training Training1/Training1 ……/password



16. SQL Injection

simplest: 1’,or ‘1’=‘1’

1. Type this into your password field and username = admin.

2. if it works then this is bad! User often ends up with administrator


Authenication Testing Game

Rules:

Object of the game


Common Fields in Database

email passwd login_id full_name

Don’t ask for a list of fields in the database! Guess! Use your experience to guide you.

Sql injections by examplehttp://unixwiz.net/techtips/sql-injection.html


Cookies - HOW

Simpliest Definiton: A small ASCII text file used in HTTP exchanges between a browser and web server, commonly stored on the hard drive.

Session Cookies Tracking Cookies

Does your application use them?Do you test them?


Issues with Cookies - HOW

Easy for spyware to read them Many applications require you to accept third-

party cookies Sessions may not expire as expected May include sensitive information – possibly

allowing access to secure site If using HTTP can be hijacked by malicious

user


Testing Cookies - HOW

Test using Mozilla – stores all cookies for you to view.


Cookie - HOW


Convincing Management of the Importance - WHEN

Show manager the list of threats & attacks Explain this is only a partial list Recommend adding line item under QA for

security testing Let Project Manager cut it base on time

constraints


More time for QA?? - WHEN

“We are going to give you an extra week….because we think you are SWELL and you to include security testing!!!”

How often does that really happen?

NEVER!!!!


Justifying testingJoanna Rothman


Cost to fix defect during different times in a project


How YOU can implement

Add this to your annual goals Build security test cases in your projects as if

you have always done this testing Add security testing to your test plan Build it as a separate section or appendix in

your test plan


Let’s Be VERY Clear!!

Testing Security

is not the same as

Testing Functionality.


QUESTIONS???


References

© 2011 systemsecurityandtest.com security testing who, what, when and how of security testing heidi...

Documents

security testingheidi

securitybypass vulnerability

software glitch

wireless router

brake problems

threats attacksciahacker

safetya group

danger safetyfreedom