In the present era, where technological innovations are flooding the industrial world, it has become hygiene for corporates to upgrade themselves owing to these high-tech methods. This never-ending spree of technological advancements leads to increasing demand for updated and premium quality products and services, responding to which companies are majorly focusing on software development and automation processes (with upcoming technologies like IoT, AI, Deep learning, and Machine learning) to innovate current products, improve efficiency and decrease costs. The upcoming technologies we are waving for future will surely bring social welfare through technology advancement but it also has in store, a lot of vulnerabilities and flaws in security mechanisms, associated with it. Thus, Integrating Security Testing in beginning within the development cycle can help companies to save time, reduce overall cost and improve the quality of security.
“If you don’t like testing your product, most likely your customers won’t like to test it either.” (Anonymous)
Security testing is a process which elucidates ways to ascertain the potential flaws(vulnerabilities to malicious attacks, information leakages etc.) in any software application to make it more secure, protect data and maintain functionality. It is not a predefined process but keeps changing with the functionality of software. Testers start the process from the requirement gathering process to analyze security needs of that particular application, which helps them find out application’s vulnerable spots and plan their strategy accordingly. AI and machine learning are bringing innovation in security testing field, testers are developing and offering runtime application self-protection (RASP).
Security testing shares some similarities with functional testing since some initial tests are similar but its framework needs to be designed separately. Where functional testing validates the truth behind testers knowledge, security testing focuses on revealing the infinite ways to break an application
There are further subdivisions to Security testing such as application security testing, network penetration security testing, payment gateway security testing, mobile application security testing, cloud application security testing & IoT security testing.
The absence of security testing has led to some of the worst data breaches of all times and here are the reasons accompanied by incidents which are calling for necessary embedding of security testing in the development process and making it an integral practice.
Passwords protected by the weak SHA-1 hashing algorithm:
The incident dates back sometime in mid-October of 2016 when The FriendFinder Network, which included casual hookup and adult content websites was attacked by a group of hackers and collected data of 20 years from six databases that included names, passwords, and email addresses.
Most of their passwords were protected by the weak SHA-1 hashing algorithm, i.e. 99 percent of them can be cracked easily at one go.
Weak codes which can be easily broken, giving easy access to the company’s network and credentials of the corporate employees:
The online auction giant eBay reported a cyber attack in May 2014 which led to names, addresses, dates of birth and encrypted passwords of its 145 million users, exposed.
Due to weak codes, hackers easily got into the company network getting access to the credentials of three corporate employees for about 229 days making their way to the user database.
On 29th July 2017, a data breach was discovered in Equifax, one of the largest credit bureaus of U.S. exposing personal information (such as Social Security Numbers, birth dates, addresses, and in some cases drivers’ license numbers) of 143 million consumers; and credit card details of 209,000 consumers.
An application vulnerability on one of their websites led to this data breach.
Vulnerability to SQL injection
In March 2008, Heartland Payment Systems faced one of the worst data breaches of its time. At that time, Heartland was processing 100 million card payment transactions per month for 175,000 merchants, ranging from small- to mid-sized retailers. It was discovered somewhere in January 2009, when Visa and MasterCard notified Heartland of suspicious transactions from accounts it had processed. The company was not allowed to process the payments of major credit card providers and was deemed out of compliance with the Payment Card Industry Data Security Standard (PCI DSS). The company was also made to pay an estimated $145 million as compensation for fraudulent payments.
The vulnerability to SQL injection led to the installation of spyware in the company’s system. This vulnerability of many Web-facing applications made SQL injection the most common form of attack against Web sites at the time.
Outdated security paradigm:
Target Stores one of the retail giant announced in December 2013 that hackers had gained access through a third-party HVAC vendor to its point-of-sale (POS) payment card readers, and had collected personally identifiable information (PII) (such as full names, addresses, email addresses, and telephone numbers) and details of credit and debit card of about 110 million of its customers.
Later, higher authorities of the company reported an outdated security paradigm as one of the major reasons for the data breach.
Weak data encryption system:
TJX Companies, Inc. server was hacked in December 2006 leading to credit card details of 94 million of its customers exposed. In this whole incident, the government claimed that the companies, banks, and insurers lost close to $200 million.
The account which deals with how it happened says that a group of hackers took advantage of a weak data encryption system and stole credit card data during a wireless transfer between two Marshall’s stores in Miami, Fla.
In late 2016, UBER – a pioneer ridesharing company suffered data breach when two hackers were able to get names, email addresses, and mobile phone numbers of 57 million users of the Uber app and the driving license numbers of 600,000 Uber drivers. Although no credit card details or Social Security numbers were compromised. This breach costed Uber dearly in both reputation and money.
The cause which led to this one big hot mess was that weak passwords were allowed for the creation of Uber’s GitHub accounts through which they got easy access to it. They also found username and password credentials to Uber’s AWS account, on Uber’s GitHub account although those credentials should never have been on it.
Non-performance of sample testing of software before using them:
The hardware and building supply retailer announced in September 2014 that its POS systems had been infected with malware. This breach led to the theft of credit/debit card information from 56 million customers. The company paid an amount of about $19.5 million to compensate US consumers in March 2016.
The investigation concluded that the cause behind this breach was non-performance of sample testing of any software before using it. In this case, a unique, custom-built malware was used, which was supposed as anti-virus software.
TFT’s security testing services can help you detect this loophole at a very initial stage through their respective processes to avoid such instances in future.
An automated process to scan the software and get all missing patches and vulnerabilities in the application through dedicated tools such as Nessus or OpenVas.
It is a simulated test, (practiced either through automated processes or manually) which imitates the probable attacks of a hacker by finding loopholes and vulnerabilities that an attacker might misuse. It requires, that a tester must have prior permission from the owner of the application before proceeding. It is also known as white hat attacks
It reviews and analyzes all the potential threats to find the best risk mitigation strategy for the application. Security Risk Assessment aka SRA helps a tester prioritize his work on the basis of the risk level of a particular threat. It is further subdivided into two parts:
It allows a classified specialist to penetrate in the system mimicking the manner of actual hackers. The attempts are made to attack the application from within to expose security flaws and vulnerabilities and to identify potential threats that malicious hackers might misuse.
Scanning of network and system (either manually or automated), to evaluate its weaknesses and provide a solution to counter the flaws. A malicious request is sent to the system with each scan, following which the testers check for the behavior that could indicate security vulnerabilities which are later studied at length, analyzed and fixed. SQL Injection, XPath Injection etc. are some of such scans.
It inspects an application & operating system through an internal process and defines various security flaws. Testers check each and every code line separately.
It is a combination of 3 processes altogether to check the credibility of Security testing. Posture Assessment combines Security scanning, Ethical Hacking, and Risk Assessment to highlight the overall changes and improvement in the system.
We study the application to understand user profiles, business case, functionality, site flow, and the code base. Then we perform the profiling of the application wherein we understand the core security mechanisms employed by the application, locate different user entry points, interfaces and data flow path.
Automated application vulnerability scanners (i.e. commercial and open-source) are used to scan for application-specific vulnerabilities covering all OWASP, WASC and SANS references.
Along with an automated scan, we perform a simultaneous manual assessment to eliminate false positives and negatives. The Manual assessment uses various vulnerability databases to identify vulnerabilities that were missed during automated scans, in addition to security verification of business logic flaws, broken access controls and a few more.
The primary focus in this phase is on using manual security testing techniques to exploit the system that includes several exploits. Then we assess the application hardening measures, cryptography issues, authentication, and authorization controls.
All exploitable security vulnerabilities in the target application are recorded and reported to the client.
Remediation consultation involves assisting the client’s platform team to remediate all reported application security vulnerabilities. Post-remediation, we conduct a reassessment to validate the effectiveness of the security control counter-measures taken to mitigate the reported vulnerabilities.
Source for data of various case studies: https://www.csoonline.com/resources/