SECURITY TESTINGTowards a safer web world

AGENDA1. 3 W’S OF SECURITY TESTING2. SECURITY TESTING CONCEPTS3. SECURITY TESTING TYPES4. TOP 10 SECURITY RISKS

Few Security Breaches September 2016, while in negotiations to sell itself to Verizon, announced it had been the victim of the biggest data breach. The attack compromised of 500 million users. Yahoo later disclosed an earlier breach that had compromised 1 billion accounts.

Date: 2013-14

Impact: 1.5 billion user accounts Date: May 2014

Impact: 145 million user compromised

The online auction giant reported a cyberattack in May 2014 that it said exposed names, addresses, dates of birth and encrypted passwords of all of its 145 million users. The company said hackers got into the company network using the credentials of three corporate employees, and had complete inside access for 229 days, during which time they were able to make their way to the user database

3 W’S of Security Testing

WHAT IS SECURITY TESTING

➢ Security testing is the process to determine that an information system protects data and maintains functionality

➢ To check whether there is an information leakage➢ To test the application whether it has unauthorised access and having

the encoded security code➢ To finding out all the potential loopholes and weakness of the system

Why Security TestingWeb application security testing is a process that verifies that the information system protects the data and maintains its intended functionality. It involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities.

WHEN TO START SECURITY TESTING

1. In general testing must start early to minimize defects of cost of quality2. Should start right from requirements gathering phase to make sure that

the quality of end product is high3. This is to ensure that any intentional /unintentional unforeseen action

does not halt or delay the system

Is the service and information safe from unauthorised prying eyes

Does the service provide only the correct information to the user

Is the person/package being truthful about their identity?

Is the person/package allowed to do this operation

Will the service do me good any time of the day

Did communication happen between two legitimate users

Security Testing TypesVulnerability scanning In this testing, whole system under test is scanned to find out the loopholes and vulnerable

signatures.

Penetration testing An attack from hacker is simulated on the system under test. Security testing is the one in which tester has to think of destroying the system while testing it

Ethical hacking This is different from penetration testing since here system under test is attacked from within to expose all the security flaws and loopholes in the application or software.

Risk assessment The assessment of risk involved with the security of system under test is done and then risks are classified as High, Medium and Low based on certain factors.

Security scanning This scans the whole system under test and finds out the network weaknesses. Then they are studied in detail, analyzed and fixed.

Security review Whether all the standards are followed and implemented properly are checked through gap analysis and code or design reviews.

OWASP TOP 10 RISKSA1 – Injection Injection flaws are a set of security vulnerabilities which occur when suspicious data is inserted into

an app as a command or query

A2 – Broken Authentication

and Session Management

When an application’s functions are not implemented correctly, the attack surface is open for criminals to easily break in and compromise passwords, session IDs, and exploit other flaws using stolen credentials

A3 – Cross-Site Scripting (XSS) XSS allows attackers to inject client-side scripts into public facing web pages and, in many cases, can be used by attackers to work their way past access controls.

A4 – Broken Access Control Access control is meant to control what “authorized” users are allowed and not allowed to do within an app, and to establish proper access control, the app must ensure that it is performing solid authorization checks and that proper authentication is in place to tell which users are privileged and which are in fact random internet users.

A5 – Security Misconfiguration Proper configuration of an application’s entire environment needs to be defined, implemented, and regulated or it may lead to severe security holes.

A6 – Sensitive Data Exposure Applications should ensure that access be authenticated and data be encrypted.

OWASP TOP 10 RISKS (Continued…)A7 – Insufficient Attack Protection This category looks into how many apps and APIs today struggle to “detect, prevent, and

respond to both manual and automated attacks”. The methods given include pentesting, vulnerability assessment, and using WAF or RASP as a means of detection and a quick and easy self-patch in response to an attack

A8 – Cross-Site Request Forgery

(CSRF)

This is done when an attacker takes control of a victim’s browser to generate requests the vulnerable app, which defines the actions as legitimate requests from the victim.

A9 – Using Components with Known

Vulnerabilities

Component, including libraries and frameworks, may be taken from the open source community and should be used with caution in case vulnerabilities are lurking

A10 – Underprotected APIs APIs serve as a link between intricate client platforms and a batch of web applications or services. And while APIs may technically be web apps, securing them is not as simple as securing traditional web applications.