Friday, July 27, 2012

Security Testing & Security Testing Checklist

Security Testing

Security testing is the process of attempting to devise test cases that subvert the program’s security checks. For example, you could try to formulate test cases that get around an operating system’s memory protection mechanism. [Source: The Art of Software Testing Second Edition Glenford J. Myers]

Security testing is, inevitably, limited by the time and resources available to the test team. This means that you should normally adopt a risk-based approach to security testing and focus on what you think are the most significant risks faced by the system. If you have an analysis of the security risks to the system, these can be used to drive the testing process. As well as testing the system against the security requirements derived from these risks, the test team should also try to break the system by adopting alternative approaches that threaten the system assets.

It is very difficult for end-users of a system to verify its security. Consequently,government bodies in North America and in Europe have established sets of security evaluation criteria that can be checked by specialized evaluators (Pfleeger andPfleeger, 2007). Software product suppliers can submit their products for evaluation and certification against these criteria. Therefore, if you have a requirement for a particular level of security, you can choose a product that has been validated to that level. In practice, however, these criteria have primarily been used in military systems and as of yet have not achieved much commercial acceptance. [Source: Software Engineering by Sommerville]

Objectives of Security Testing

The objective of security testing is to demonstrate the following:

1. The software behaves securely and consistently under all conditions—both expected and unexpected.
2. If the software fails, the failure does not leave the software, its data, or its resources to attack.
3. Obscure areas of code and dormant functions cannot be compromised or exploited.
4. Interfaces and interactions among components at the application, framework/middleware, and operating system levels are consistently secure.
5. Exception and error handling mechanisms resolve all faults and errors in ways that do not leave the software, its resources, its data, or its environment vulnerable to unauthorized modification or denial-of-service attack. [Software Testing and Quality Assurance: Theory and Practice By Sagar Naik, Piyu Tripathy]

Examples of cases in the Security Testing Checklist:

1. Do all files that are created in the application have appropriate access permissions? The wrong access permissions may lead to these files being accessed by unauthorized users. Verify that illegal reading of files, to which the perpetrator is not authorized,is not allowed.
2. Does the system automatically terminate user sessions after a period of inactivity? Sessions that are left active may allow unauthorized access through an unattended computer.
3. Verify that only authorized accesses to the system are permitted. This may include authentication of user ID and password and verification of expiry of a password.
4. Verify the correctness of both encryption and decryption algorithms for systems where data/messages are encoded.
5. If passwords are set, does the system check that passwords are 'strong'? Strong passwords consist of mixed letters, numbers and punctuation, and are not normal dictionary entries. They are more difficult to break than simple passwords.
6. If the system is written in a programming language without array bound checking, are there situations where buffer overflow may be exploited? Buffer overflow may allow attackers to send code strings to the system and then execute them. Buffer overflows are the most commonly found vulnerability in code that can be exploited to compromise the system.
7. Are inputs from the system’s environment always checked against an input specification? Incorrect processing of badly formed inputs is a common cause of security vulnerabilities.
8. Ensure that virus checkers prevent or curtail entry of viruses into the system.
9. Ensure that the system is available to authorized users when a zero-day attack occurs.
10. Verify the different protocols used by authentication servers, such as Remote Authentication Dial-in User Services (RADIUS), Lightweight Directory Access Protocol (LDAP), and NT LAN Manager (NTLM).
11. Verify the secure protocols for client–server communications, such as the Secure Sockets Layer (SSL). The SSL provides a secure channel between clients and servers that choose to use the protocol for web sessions. The protocol serves two functions: (i) authenticate the web servers and/or clients and (ii) encrypt the communication channel.
12. Verify the IPSec protocol. Unlike the SSL, which provides services at layer 4 and secures the communications between two applications, IPSec works at layer 3 and secures communications happening on the network.
13. Verify different wireless security protocols, such as the Extensible Authentication Protocol (EAP), the Transport Layer Security (TLS) Protocol, the Tunneled Transport Layer Security (TTLS) Protocol, and the Protected Extensible Authentication Protocol (PEAP).

[Source: Software Engineering by Sommerville and SOFTWARE TESTING AND QUALITY ASSURANCE Theory and Practice by KSHIRASAGAR NAIK]

Other links from where you can explore more on Security Testing & Security Testing Checklists:

1. Top Ten Tips for Secure Testing
This paper provides information about testing applications for the Microsoft Windows family of operating systems in a secure fashion. The topics are divided into ten tips (1. Don't Run Tests as an Administrator, 2. Test on a Secure File System--NTFS, 3. Don't Change Anything in HKLM or %PROGRAMFILES%, 4. Don't Store or Send Secrets in Clear Text, 5. Get Adequate Feature Documentation, 6. Press the Limits of Bad Data, 7. Test on Two or More Processors, 8. Know the 20 Laws of Security, 9. Use the tools available, 10. Analyze the source code) that any developer or tester can readily apply when testing an application or hardware device driver.

2. Web Application Security Testing Checklist
Main points from this checklist: Set everyone's expectations, Gather good tools, Look at your application from every perspective, Test for underlying weaknesses, Go back and verify your scanner findings, Manually check for weaknesses, Test your source code.

3. OWASP based Web Application Security Testing Checklist [Link][Link to Excel Checklist]
OWASP based Web Application Security Testing Checklist is an Excel based checklist which helps you to track the status of completed and pending test cases.

4. Security testing authorization - Checklist
It is important that organizations provide proper authority to people undertaking any form of website or web application security testing. This check list provides a guide to some items which should be considered and specified.

5. Performance & Security Testing Checklist
Creating checklists for performance & security is extremely important. This checklist helps in better definition of performance and security requirement. In the absence of properly defined performance & security testing requirements, teams can spend great deal time in things which probably do not matter much.

6. Security Evaluation Checklist
Their checklist consists of (1) evaluating topology, (2) penetration testing from outside and inside network, (3) evaluating network devices, such as routers, switches, firewalls, IDS, (4) evaluating servers, (5) evaluating applications, and (6) evaluating policy and procedures. In this paper they elaborate the idea behind the checklist, give a walk through of the steps, and provide a list of tools related to the activity.

7. Security Testing Handbook for Banking Applications (Softcover) By Arvind Doraiswamy: This book gives indepth approach to security testing.

8. Threat modeling allows you to apply a structured approach to security and to address the top threats that have the greatest potential impact to your application first. This chapter helps you to decompose your Web application to identify and rate the threats that are most likely to impact your system. The chapter presents a six-step threat modeling process.

9. A Security Checklist for Web Application Design

10. Guideline on Network Security Testing (Recommendations of the National Institute of Standards and Technology). [Link]

11.How do you start testing any WebApplication
This link contains many testing checklists including Security Testing Checklist.