Security Testing: User Right Not Privilege
Why security Testing?? I would like to say if all people were ethical we might not need to bother so much about security testing but in this World Wide Web or World Wild Web everyone is not ethical and if you are not testing for security of your product chances are very high some one else some where would be doing that.
Security Testing is no longer seen as overhead cost because security plays very important role in deciding organization bottom-line growth.
In this post we will try to see:
- Where does security fits into Product development life cycle
- What are main security threats associated with application
- How can we mitigate these security threat.
Before we deal with security testing in detail let’s understand how security testing is different from functional testing
Functional testing is testing application or product do what it is supposed to do. It is performed on behalf of a legitimate user of the product who is attempting to use it in the way it was intended to be used and for its intended purpose.
Security testing is confirming application is not doing what it is not supposed to do. Goal of security testing is to find vulnerabilities of our application. Vulnerability usually allows an attacker to trick the application into injecting data into its back end, execute commands on the system hosting the application, or use a flaw which allows for unintended access of memory to execute code with the privileges of the program.
Secure software should have following characteristics:
Confidentiality: Ensuring there is no deliberate or accidental improper disclosure of sensitive information
Integrity: Protection against deliberate or accidental corruption of information
Security Testing in software development life cycle:
Rather being a wrapper around existing feature security should be a part of Software development life cycle from the beginning
Following figure shows some activities that will add structure to the software development process
Scurity Threat Categorization:
Security Threat can be categorized into six main categories”
Spoofing:
Tampering
Repdiation
Information disclosure
Denial of service
Elevation of privilege
*STRIDE is an acronym given by Loren Kohnfelde while categorizing
Spoofing user identity.
Spoofing is an attack that involves three host: an attacker , a victim and an innocent third party. Man in the Middle attacks are good example of web spoofing where attacker spoofs “X” into believing he is “Y”and spoofs “Y” into believing he is “X”, thus gaining access to all communication between “X” and “Y”
Testing Idea:
- Attempt to force the application to use no authentication
- Can “Cookies” be replayed to bypass authentication stage
- Try forcing an authentication protocaol to use a less secure legacy version
Mitigation technique
- Use strong authentication.
- Do not store secrets (for example, passwords) in plaintext.
- Do not pass credentials in plaintext over the wire.
- Protect authentication cookies with Secure Sockets Layer (SSL).
Tampering with data.
Attacker attempts to break integrity of the data packet as they traverse to destination or modifying a dll by some unauthorized user
Testing Idea
Attempt to bypass authentication
Creating invalid hash and digital signature to verify they are checked properly
Trying to tamper the data and then rehash
Mitigation technique
- Use data hashing and signing. Use digital signatures.
- Use strong authorization.
- Use tamper-resistant protocols across communication links.
- Secure communication links with protocols that provide message integrity.
Repudiation.
Repudiation refers to performing any illegal operation in a system, with malicious intention, without the knowledge of the system administrator or the security agent.
Example of Repudition attack is someone accessing your email server and sending fake information to others
Testing Idea:
Do logging of user actions exist
Do conditions exist that prevent logging or auditing
Can incorrect data be created in event log
Mitigation technique
Create secure audit trails.
Time Stamps
Use digital signatures.
Information Disclosure.
Information disclosure refers to those data that have been exposed to unauthorized users. For example, a non-privileged user has the ability to view data containing some confidential information such as credit card number.
Testing Ideas:
Attempt to access data that can only be accessed by more privileged users using tools like network sniffers
Make the application fail or crash in such a way that attacker can get some useful information
Mitigation technique
Use strong authorization.
- Use strong encryption.
- Secure communication links with protocols that provide message confidentiality.
- Do not store secrets (for example, passwords) in plaintext.
Denial of Service.
A denial-of-service attack is an attack on a computer system that causes a loss of service to users, typically the loss of network connectivity and services by consuming the bandwidth of the victim network or overloading the computational resources of the victim system
Testing Ideas:
Flood a process with so much data it stops responding to valid request using fuzzing tool
Does application handle the malformed data gracefully
Can external influences (disk space, memory and system resource) force the application to fail
Mitigation Technique
- Use resource and bandwidth throttling techniques.
- Validate and filter input.
Elevation of privilege.
Allowing a remote internet user to run commands is the and going from a limited user to admin is example of Elevation of privilege security attack. In this type of threat, a attacker can have access to some higher privileges that the system administrator has not provided to him. In this way, the attacker can have the opportunity to access every possible area of data in which he has no access privileges.
Testing Idea:
- Check if we can execute data as code
- Can elevated process be forces to load a command shell
- Follow the principle of least privilege and use least privileged service accounts to run processes and access resources.
.
