Quick Start Guide for Security Tests

Software testers are sometimes unable to cope with the verification of security requirements because of their very technical nature. In this post, I will give you some guidance and orientation which you can use right away for your application security testing activities.

Step 1 – Static Application Security Tests

First of all, make sure that static application security testing or secure code review according to security standards such as OWASP top 10, SANS top 25 or PCI will be conducted. Bear in mind that vulnerabilities have to be eliminated from the root, which is the source code. You can do a manual code review or even better an automatic analysis using professional or freeware tools. Also, please verify the security risks related to open source libraries used by your application under test.

Step 2 – Dynamic Application Security Tests

Secondly, there are also security risks related to the surrounding application infrastructure. The application server, operating system, and additional runtime libraries can lead to serious hazards. Such so-called dynamic application security tests are always tool based, and baseline scans your runtime environment against known security issues. Typically, such application scans or penetration tests should be executed during system or user acceptance testing.

Step 3 – Business Security Tests

Lastly, your testing activities should also include so-called business security tests, which focus on sensitive areas such as authentication, authorization, and session management. Also, I recommend paying attention to login procedures and permission management of  applications under test. Conduct positive and negative tests for those critical areas mentioned above.

All things considered, a robust security testing approach incorporates early secure code reviews, dynamic and business security tests. Keep on doing the good work, and please share your own security testing experience and strategy with me.

 

Advertisements

Quick Start Guide for Secure Software Development

Software development does not always follow a well-structured process. Some companies tend to give developers more flexibility than others, which often results in critical vulnerabilities and high rework activities. Therefore, independent whether your projects follow agile or waterfall development principles, you shall apply some basic secure software development principles to avoid security loopholes.

The first one being, do not reinvent the wheel!

It might be that you have excellent ideas when it comes to encryption, authentication or authorization but the risk related to your self-made function in that area is obviously too high. Use only standardized encryption, authentication and authorization frameworks.

The second one being, that the input and output should be validated!

Nowadays, application-based attacks are one of the biggest security concerns. Due to their nature, those incidents are often difficult to detect because a firewall or intrusion detection system cannot distinguish between a real user and an application layer attack. Therefore, we should always validate all input independent from its origin. Also, we should also scan output prior sending it to the user.

The third one being, that prepared statements should be used!

Database access is a very attractive target of global cyber security attacks. Several big players have become a victory of database related so-called SQL injection attacks recently. If your developers exclusively use prepared statements for database access, your application will be robust against this critical attack.

The last one being that regular code scan should be scheduled!

Security issues must be eliminated from the root, the source code. Only secure code scans according to security standards such as OWASP top 10 or SANS top 25 will help you to identify and eliminate critical issues in your code during software development.

All things considered, the basic best practices mentioned above will push your software development projects towards security. Also, OWASP provides excellent background information for secure software development.

Why we need a Next Generation Technical Testing Platform

Our testing toolchain is quite impressive. Some are very specific, and others support a broad range of technologies and testing activities. However, when it comes to technical testing, more specifically, automated and performance testing there are still gaps. In this post, I will outline this cleft.

Typical technical testing activities

Independent whether you are following an iterative or agile development approach, you will implement automated regression tests, performance tests and security tests. You will start early in your development lifecycle and try to integrate also unit tests in your build process. Chances are very high that your test engineers will have four or more different testing tools in place.

The Problem

Our current technical-testing platforms are still limited concerning support for different testing activities. This gap leads to a high development and maintenance effort. We have many script redundancies, and in some cases, test implementation exceeds development effort.

The Solution

Based on my experience many successful organizations have automation, performance and security testing specialists in place. It would be a great productivity driver if those teams can use the same testing platform and testing scripts across their testing activities. This test asset sharing would lead to a rise in test coverage and test effort savings.

I hope that this post is a wake-up call for our testing solution providers. Start your engines and build a new technical testing platform which closes this gap.

Increase your Secure Software Development Maturity

Software development is often an unguided missile. Coding standards are seldom in place and developers decide what framework and libraries they will use for the implementation of their applications.

However, there are several excellent guidelines available which clearly describes the required measures to integrate security aspects in all software development steps. Personally speaking, I recommend the BSIMM guideline because it comes up with a maturity model and provides excellent benchmark metrics.

The table below contains a tailored, secure software development process according to BSIMM.

ssdevproc

In this example the company decided to reach a higher maturity in implementation and test phases while analysis and design phases a lower maturity is sufficient.

More than 75 companies around the world are using BSIMM and those regularly provide their benchmark metrics. In the finance sector, the maturity level is between 1.8 and 2.8. Businesses who decide to switch to BSIMM could therefore easily compare their current maturity with their competitors.

Also, regulatory authorities such as MAS have already policies in place which specifies that some secure software development tasks such as code review and security testing have do be conducted pre-production.

Therefore, keep doing the good work and integrate security aspects in your software development chain.

Things you don’t want to hear about Development of Secure Software

Two of three security breaches account to vulnerable applications. Cyber criminals use vulnerable business applications to get access to confidential data without beeing detected.

I assume that some of us are already aware of successful attacks and how to search for vulnerable applications. I don’t want to tell you too much at this time, but if you are interested, you should have a look at the Google hacking database (GHDB), which allows a convenient search for specific security loopholes.

However, some wise companies have already applied measures to protect their valuable secrets. Some businesses are focusing more on infrastructure while others fundamentally transformed their development process towards security. Based on my experience is the latter the better approach while the former often does not provide sufficient protection for application layers based attacks such as SQL injection or cross-side scripting.

All things considered, don’t wait until you become a victim of a cyber-security attack. Integrate security aspects in your development process and eliminate security vulnerabilities from the root, the source code.

In my next blog post, I will give you a detailed overview of a streamlined, secure software development process.