Security Testing
- hiI need a big help from you ...In our concern first time they are undergoing a banking project they need a very high level of security testing but i does n`t know about how to perform security testingcan any one give me a solution in what all the aspect i have to undergo security testing at which levels
Shanmugham
Answers
Shanmugham,
First, a few words about security testing. Security testing is related to the security of data and the functionality of the application. You should be aware of the following concepts while performing security testing:
1. Confidentiality - The application should only provide the data to the relevant party e.g. one customer's transactional data should not be visible to another customer; the irrelevant personal details of the customer should not be visible to the administrator and so on.
2. Integrity - The data stored and displayed by the application should be correct e.g. after a withdrawal, the customer's account should be debited by the correct amount.
3. Authentication - It should be possible to attribute the data transmitted in the application to either the application or the customer. In other words, no one other than the customer or the bank should be able to create or modify any data.
4. Authorization - The application or a user should only be able to perform the tasks which they are respectively authorized to perform e.g. a customer should not be able to withdraw more than the balance in their account without having an overdraft facility, the application should not be able to levy charges on a customer account without prior customer approval.
5. Availability - The data and functionality should be available to the users throughout the working period e.g. if the bank's operating times are from 8 a.m. to 8 p.m. on all working days, it should be possible for a customer to access their account and make the necessary transactions on their account.
6. Non-repudiation - At a later date, it should not be possible for a party to deny that a particular transaction or data change took place e.g. if a customer withdraws an amount from their account, this should trigger the relevant actions (posting to their transaction records, debiting their account and sending them a notification etc.).
In your question, you mentioned that you wish to avoid any data breach by hackers. You should understand that hackers are not the only people from whom the application functionality and data need to be protected. There are other people that you need to consider as well:
1. Disgruntled customers
2. Unhappy or malicious employees of the bank
3. Unprofessional service providers e.g. an unprofessional hosting company that may have access to the application and the data
4. Unprofessional auditors
Further, since financial data is so important, banking applications in certain countries have to be compliant to the relevant financial standards. Research the relevant standards that your application needs to follow.
Creating a secure application involves a lot of work in designing a secure application and designing a secure data store. Even after deployment, the application should be closely monitored to ensure that the data is being accessed by only the authorized people. If any security breach is reported, it should be analyzed carefully and the loopholes plugged.
Now, let us discuss the actual security testing. You should design security tests based on at least the following:
1. Stated security requirements
2. Security-related standards that the application should follow
Assuming that it is a web application,
3. Common vulnerabilities found in web applications
4. Different browser versions on different operating systems (here you should note that implementing security only on the client-side may not suffice)
Refer the following link on the various kinds of “attacks”:
http://www.owasp.org/index.php/Category:Attack
In your initial tests, you may want to use automated testing tools e.g. web vulnerability scanners, password crackers, web proxy tools etc. Based on your learning, you may want to execute the more complex security tests by hand. Keep yourself updated about the latest hacks and test them on your application before every release.
As you might now appreciate, security testing is a vast area of knowledge and practice. In order to do justice to security testing, it is better to have a dedicated team for security testing.
Thank you,
Blog: Software Testing Space
- Marked As Answer byAlan PageMSFT, OwnerMonday, October 26, 2009 3:45 AM
All Replies
- This is a pretty broad question. Can you tell us where you've searched and what questions you still may have?
- hi alani need in what are all the ways that our application is secured ie by cookies,any link,bin,images,sql server name like thiswith the help of this the hackers can do some mischievous and getting some data`s inorder to avoid thid what are the aspects that i have to perform testing in what are all the possibilities?
Shanmugham - Bing "Threat Model" and/or read "Writing Secure Code" - that should give you some ideas.
- Another good book for getting started with security testing is "Hunting Security Bugs". For web applications, XSS and CSRF are important topics, as is potential SQL injection.
Shanmugham,
First, a few words about security testing. Security testing is related to the security of data and the functionality of the application. You should be aware of the following concepts while performing security testing:
1. Confidentiality - The application should only provide the data to the relevant party e.g. one customer's transactional data should not be visible to another customer; the irrelevant personal details of the customer should not be visible to the administrator and so on.
2. Integrity - The data stored and displayed by the application should be correct e.g. after a withdrawal, the customer's account should be debited by the correct amount.
3. Authentication - It should be possible to attribute the data transmitted in the application to either the application or the customer. In other words, no one other than the customer or the bank should be able to create or modify any data.
4. Authorization - The application or a user should only be able to perform the tasks which they are respectively authorized to perform e.g. a customer should not be able to withdraw more than the balance in their account without having an overdraft facility, the application should not be able to levy charges on a customer account without prior customer approval.
5. Availability - The data and functionality should be available to the users throughout the working period e.g. if the bank's operating times are from 8 a.m. to 8 p.m. on all working days, it should be possible for a customer to access their account and make the necessary transactions on their account.
6. Non-repudiation - At a later date, it should not be possible for a party to deny that a particular transaction or data change took place e.g. if a customer withdraws an amount from their account, this should trigger the relevant actions (posting to their transaction records, debiting their account and sending them a notification etc.).
In your question, you mentioned that you wish to avoid any data breach by hackers. You should understand that hackers are not the only people from whom the application functionality and data need to be protected. There are other people that you need to consider as well:
1. Disgruntled customers
2. Unhappy or malicious employees of the bank
3. Unprofessional service providers e.g. an unprofessional hosting company that may have access to the application and the data
4. Unprofessional auditors
Further, since financial data is so important, banking applications in certain countries have to be compliant to the relevant financial standards. Research the relevant standards that your application needs to follow.
Creating a secure application involves a lot of work in designing a secure application and designing a secure data store. Even after deployment, the application should be closely monitored to ensure that the data is being accessed by only the authorized people. If any security breach is reported, it should be analyzed carefully and the loopholes plugged.
Now, let us discuss the actual security testing. You should design security tests based on at least the following:
1. Stated security requirements
2. Security-related standards that the application should follow
Assuming that it is a web application,
3. Common vulnerabilities found in web applications
4. Different browser versions on different operating systems (here you should note that implementing security only on the client-side may not suffice)
Refer the following link on the various kinds of “attacks”:
http://www.owasp.org/index.php/Category:Attack
In your initial tests, you may want to use automated testing tools e.g. web vulnerability scanners, password crackers, web proxy tools etc. Based on your learning, you may want to execute the more complex security tests by hand. Keep yourself updated about the latest hacks and test them on your application before every release.
As you might now appreciate, security testing is a vast area of knowledge and practice. In order to do justice to security testing, it is better to have a dedicated team for security testing.
Thank you,
Blog: Software Testing Space
- Marked As Answer byAlan PageMSFT, OwnerMonday, October 26, 2009 3:45 AM
- I would also start with some searches on web security testing, or read James WHittaker's "How to break web software" - that should give you a big head start.
