Security Testing Tips From a Bug Battle Winner
In the second installment of our guest blogger series, Bug Battle winner and expert tester Bernard Lelchuk examines the basics of security testing:
Although it’s a broad term, security testing can be broken down into six basic concepts: Availability, Authentication, Authorization, Confidentiality, Integrity and Non-repudiation. I’ll define each concept briefly, however, I encourage you to research each concept for a better understanding.
- Availability: Assuring that information & communications services are available and maintained for authorized persons when needed.
- Authentication: Assuring the validity of any type of originator, transmission or message. This also gives confidence that information is received by a known and validated source.
- Authorization: Assuring that an individual can allow/deny access to a system/service/operation (e.g. Access control).
- Confidentiality: Ensuring information is accessible only for those with authorized access and to prevent information disclosure to any party other than the intended recipients. Often ensured by encoding information using algorithms (cryptography).
- Integrity: Ensuring received information is preserved successfully with no alteration.
- Non-repudiation: Ensuring action/communication cannot later be denied (usually used by form of authentication and time stamping).
Security Testing Methods:
There are 3 types of testing methods which involve various sets of attacks: Information/system gathering, logical, and injection attacks. Each are used for specific testing results, however various attacks share the same security concepts, and are therefore quite similar to one another.
Information gathering (i.e. system-related) attacks
- Client-side source code analysis
- Application reconnaissance
- Error messages analysis
- Directory traversal
These methods include various types of information gathering from a web application/server by means of source code and error message analysis, exposure of directory structure or other attacks which results in information exposure. Here they are in no particular order:
Logical Attacks
- Cookie poisoning
- Parameter tampering
- Flow bypassing
- Direct access of components files
- Session hijacking
- Penetration testing
- Buffer overflow
These methods relate to various logical attacks which may be executed both manually or via specific tools/scripts. Logical attacks are more sophisticated, and thus, more interesting & challenging to the tester, who needs to have a good understanding of information technology and specific knowledge of cookies, POST/GET requests & parameters, etc.
Injection Attacks
- SQL injection
- Cross Site Scripting (XSS)
- Scripts injection
These methods relate to various scripts & SQL commands injections into web application forms. These are the most common attacks, yet they are both serious and dangerous. Detecting such vulnerabilities in the early stages of development can prevent unnecessary flaws.
In my next blog post, I will address some common (and some not-so-common) tools that can make security testing easier and more productive for testing engineers of all experience levels.
In the meantime, happy testing!
Great post! quick question – when do you think we’ll reach the point of security testing for mobile apps (on mobile devices)? We see that the mobile apps are becoming more and more complex and robust so security testing on mobile devices will be a relevant space (take mobile apps for banking as an example). Does the market ready for it? are they tools dedicated for mobile?
Cheers,
Roy
That is a great post, can’t wait for the next one about the not so common tools, should be interesting.
[...] the second part of his blog post “Security Testing Tips From a Bug Battle Winner”, uTester Bernard Lelchuk takes a closer look at some of the more effective tools to use when [...]
wonderful!
Waiting for the 2nd piece
Doron
ITSoulsenz.com – Software Development has become very popular with more and more companies including, software development services,software development technologies, software outsourcing,their international business prospects.
Thanks for your feedback Roy!
I believe that security testing for mobile is getting more and more essential as the amount of mobile applications & web applications for mobile of all types increase rapidly.
We can see many complex & sensitive applications such as banking, remote desktop and even social networking integrated apps. It is inevitable that security testing procedures and tools will be mandatory for mobile applications certifications (as in Nokia’s Symbian signed for example).
Information security is playing a key role in today’s and future’s mobile applications market. As we use more information exchange applications on our mobile, we should care more about securing this information and ensuring it does not get to any unsolicited hands.
Currently there are several security testing tools for Windows Mobile apps which mainly concern with data & port scanning testing.
You can read more about these tools on this article:
http://searchwindowsserver.techtarget.com/tip/0,289483,sid68_gci1309645_mem1,00.html
Cheers,
Bernard.
[...] our Guest Blogger series began a few months back, you might recall that it was Bernard Lelchuck who got things started. For those who are new to uTest, Bernard has been one of our top testers [...]
[...] Security Testing Tips (from a Bug Battle Winner) – by Bernard Shai Lelchuck [...]
[...] Security Testing Tips From a Bug Battle Winner – Part1 By lelchuk This is a post I originally posted for uTest here [...]