Blogs

Security Testing: A Boon in an Unsecured World

« back   September 10th, 2018 by

In the present era, where technological innovations are flooding the industrial world, it has become hygiene for corporates to upgrade themselves owing to these high-tech methods. This never-ending spree of technological advancements leads to increasing demand for updated and premium quality products and services, responding to which companies are majorly focusing on software development and automation processes (with upcoming technologies like IoT, AI, Deep learning, and Machine learning to innovate current products, improve efficiency and decrease costs. The upcoming technologies we are waving for the future will surely bring social welfare through technology advancement but it also has in store, a lot of vulnerabilities and flaws in security mechanisms, associated with it. Thus, Integrating Security Testing in beginning within the development cycle can help companies to save time, reduce overall cost and improve the quality of security.

“If you don’t like testing your product, most likely your customers won’t like to test it either.” (Anonymous)

What is Security Testing?

Security testing is a process which elucidates ways to ascertain the potential flaws(vulnerabilities to malicious attacks, information leakages etc.) in any software application to make it more secure, protect data and maintain functionality. It is not a predefined process but keeps changing with the functionality of the software. Testers start the process from the requirement gathering process to analyze security needs of that particular application, which helps them find out the application’s vulnerable spots and plan their strategy accordingly. AI and machine learning are bringing innovation in security testing field, testers are developing and offering runtime application self-protection (RASP).

Security testing shares some similarities with functional testing since some initial tests are similar but its framework needs to be designed separately. Where functional testing validates the truth behind testers knowledge, security testing focuses on revealing the infinite ways to break an application

There are further subdivisions to Security testing such as application security testing, network penetration security testing, payment gateway security testing, mobile application security testing, cloud application security testing & IoT security testing.

The absence of security testing has led to some of the worst data breaches of all times and here are the reasons accompanied by incidents which are calling for necessary embedding of security testing in the development process and making it an integral practice.

Security Testing Infographic

Security Testing-1 Solution to all your Problems

Passwords protected by the weak SHA-1 hashing algorithm:

  • CASE

    The incident dates back sometime in mid-October of 2016 when The FriendFinder Network, which included casual hookup and adult content websites was attacked by a group of hackers and collected data of 20 years from six databases that included names, passwords, and email addresses.

  • CAUSE

    Most of their passwords were protected by the weak SHA-1 hashing algorithm, i.e. 99 percent of them can be cracked easily at one go.

Weak codes which can be easily broken, giving easy access to the company’s network and credentials of the corporate employees:

  • CASE

    The online auction giant eBay reported a cyber attack in May 2014 which led to names, addresses, dates of birth and encrypted passwords of its 145 million users, exposed.

  • CAUSE

    Due to weak codes, hackers easily got into the company network getting access to the credentials of three corporate employees for about 229 days making their way to the user database.

Application Vulnerability:

  • CASE

    On 29th July 2017, a data breach was discovered in Equifax, one of the largest credit bureaus of U.S. exposing personal information (such as Social Security Numbers, birth dates, addresses, and in some cases drivers’ license numbers) of 143 million consumers; and credit card details of 209,000 consumers.

  • CAUSE

    An application vulnerability on one of their websites led to this data breach.

Vulnerability to SQL injection

  • CASE

    In March 2008, Heartland Payment Systems faced one of the worst data breaches of its time. At that time, Heartland was processing 100 million card payment transactions per month for 175,000 merchants, ranging from small- to mid-sized retailers. It was discovered somewhere in January 2009, when Visa and MasterCard notified Heartland of suspicious transactions from accounts it had processed. The company was not allowed to process the payments of major credit card providers and was deemed out of compliance with the Payment Card Industry Data Security Standard (PCI DSS). The company was also made to pay an estimated $145 million as compensation for fraudulent payments.

  • CAUSE

    The vulnerability to SQL injection led to the installation of spyware in the company’s system. This vulnerability of many Web-facing applications made SQL injection the most common form of attack against Web sites at the time.

Outdated security paradigm:

  • CASE

    Target Stores one of the retail giant announced in December 2013 that hackers had gained access through a third-party HVAC vendor to its point-of-sale (POS) payment card readers, and had collected personally identifiable information (PII) (such as full names, addresses, email addresses, and telephone numbers) and details of credit and debit card of about 110 million of its customers.

  • CAUSE

    Later, higher authorities of the company reported an outdated security paradigm as one of the major reasons for the data breach.

Weak data encryption system:

  • CASE

    TJX Companies, Inc. server was hacked in December 2006 leading to credit card details of 94 million of its customers exposed. In this whole incident, the government claimed that the companies, banks, and insurers lost close to $200 million.

  • CAUSE

    The account which deals with how it happened says that a group of hackers took advantage of a weak data encryption system and stole credit card data during a wireless transfer between two Marshall’s stores in Miami, Fla.

Weak Passwords:

  • CASE

    In late 2016, UBER – a pioneer ridesharing company suffered data breach when two hackers were able to get names, email addresses, and mobile phone numbers of 57 million users of the Uber app and the driving license numbers of 600,000 Uber drivers. Although no credit card details or Social Security numbers were compromised. This breach costed Uber dearly in both reputation and money.

  • CAUSE

    The cause which led to this one big hot mess was that weak passwords were allowed for the creation of Uber’s GitHub accounts through which they got easy access to it. They also found username and password credentials to Uber’s AWS account, on Uber’s GitHub account although those credentials should never have been on it.

Non-performance of sample testing of software before using them:

  • CASE

    The hardware and building supply retailer announced in September 2014 that its POS systems had been infected with malware. This breach led to the theft of credit/debit card information from 56 million customers. The company paid an amount of about $19.5 million to compensate US consumers in March 2016.

  • CAUSE

    The investigation concluded that the cause behind this breach was non-performance of sample testing of any software before using it. In this case, a unique, custom-built malware was used, which was supposed as anti-virus software.

TFT’S SOLUTION

Think Future Technologies security testing services can help you detect this loophole at a very initial stage through their respective processes to avoid such instances in future.

Types of security testing

Vulnerability Scanning

An automated process to scan the software and get all missing patches and vulnerabilities in the application through dedicated tools such as Nessus or OpenVas.

Penetration Testing

It is a simulated test, (practiced either through automated processes or manually) which imitates the probable attacks of a hacker by finding loopholes and vulnerabilities that an attacker might misuse. It requires, that a tester must have prior permission from the owner of the application before proceeding. It is also known as white hat attacks

Security Risk Assessment

It reviews and analyzes all the potential threats to find the best risk mitigation strategy for the application. Security Risk Assessment aka SRA helps a tester prioritize his work on the basis of the risk level of a particular threat. It is further subdivided into two parts:

Security Review & Gap Analysis

Security tests

Ethical Hacking

It allows a classified specialist to penetrate in the system mimicking the manner of actual hackers. The attempts are made to attack the application from within to expose security flaws and vulnerabilities and to identify potential threats that malicious hackers might misuse.

Security Scanning

Scanning of network and system (either manually or automated), to evaluate its weaknesses and provide a solution to counter the flaws. A malicious request is sent to the system with each scan, following which the testers check for the behavior that could indicate security vulnerabilities which are later studied at length, analyzed and fixed. SQL Injection, XPath Injection etc. are some of such scans.

Security Auditing

It inspects an application & operating system through an internal process and defines various security flaws. Testers check each and every code line separately.

Posture Assessment

It is a combination of 3 processes altogether to check the credibility of Security testing. Posture Assessment combines Security scanning, Ethical Hacking, and Risk Assessment to highlight the overall changes and improvement in the system.

Security Testing Approach

  • Static Application Security Testing:
  • Dynamic Application Security Testing:

TFT’s Security testing Processes and Methodologies:

Profiling and Discovery

We study the application to understand user profiles, business case, functionality, site flow, and the code base. Then we perform the profiling of the application wherein we understand the core security mechanisms employed by the application, locate different user entry points, interfaces and data flow path.

Automated and Manual Security Scan

Automated Scan

Automated application vulnerability scanners (i.e. commercial and open-source) are used to scan for application-specific vulnerabilities covering all OWASP, WASC and SANS references.

Manual Scan

Along with an automated scan, we perform a simultaneous manual assessment to eliminate false positives and negatives. The Manual assessment uses various vulnerability databases to identify vulnerabilities that were missed during automated scans, in addition to security verification of business logic flaws, broken access controls and a few more. 

Application Vulnerability Exploitation:

The primary focus in this phase is on using manual security testing techniques to exploit the system that includes several exploits. Then we assess the application hardening measures, cryptography issues, authentication, and authorization controls.

Reporting:

All exploitable security vulnerabilities in the target application are recorded and reported to the client.

Remediation Consultation and Reassessment:

Remediation consultation involves assisting the client’s platform team to remediate all reported application security vulnerabilities. Post-remediation, we conduct a reassessment to validate the effectiveness of the security control counter-measures taken to mitigate the reported vulnerabilities.



Leave a Reply

Your email address will not be published. Required fields are marked *

*

*

*