security is vitally important in software applications. More and more
people are using the Internet and computers to perform everyday tasks.
Software is everywhere, in your cell phone, car, airplanes, televisions,
and don't forget - your home computers. More and more of these
appliances are being connected to the Internet. Everyday services,
including banking, stock trading and taxes are all moving to an online
approach. Today's software is being produced faster than ever. The
majority of people using these software applications are unaware about
security. With shrinking budgets, tight schedules, and without the
knowledge of security testing, software vulnerabilities are everywhere.
Software applications are being used by people all over the world. Hence
application security testing and especially web application security
testing is a must for software products to succeed in today's world.
Security testing, which aims to eliminate the
aspects of systems that do not relate to application functionality but
to the confidentiality, integrity, and availability of applications, is
commonly referred as "nonfunctional requirements (NFR) testing." NFR
testing, which is used to determine the quality, security,
and resiliency aspects of software, is based on the belief that
nonfunctional requirements represent not what software is meant to do,
but how the software might do it.
Security testing, when done properly, goes deeper and even beyond the
functional testing/black-box probing on the presentation layer. By
identifying risks in the system and creating tests driven by those
risks, a software security tester can properly focus on areas of code in
which an attack is likely to succeed. Software security is about making
software behave in the presence of a malicious attack, even though in
the real world, software failures usually happen spontaneously — that
is, without intentional mischief.
The
OWASP (Open Web Application Security Project)
Top Ten is a list of the 10 most dangerous current Web application
security flaws, which are listed below.
- Injection
- Cross-Site Scripting
- Broken Authentication and Session Management
- Insecure Direct Object References
- Cross-Site Request Forgery (CSRF)
- Security Misconfiguration
- Failure to Restrict URL Access
- Invalidated Redirects and Forwards
- Insecure Cryptographic Storage
- Insufficient Transport Layer Protection
Security testing
takes a different mindset than functional QA testing. A security tester
must think of how to break and abuse the application in the same way a
black hat hacker or malicious user would. Trying to do something that
will cause problems to the underlying code, thinking out of the box,
will help the tester considerably in becoming more security oriented.
One of the most prevalent security-related issues to deal with is
Input Validation.
A functional quality assurance engineer can typically devise a variety
of methods to verify the functionality of a feature or component. But a
security tester needs to go deeper — he has to think like a malicious
user, consider the cases that shouldn't be allowed, input things typical
users would not attempt, and try to twist and break that application in
any way possible. There are also many open source and licensed
automation tools (Acuntix,
Zed Attack proxy, Websecurify, etc.) available on the market which
perform the dynamic analysis and penetration testing of web application
to discover vulnerabilities such as:
- Client Certificate
- Proxy-Chaining
- Local and Remote File Include
- Cross-Site Scripting
- SQL injection
- Information Disclosure Problems
- Session Security Problems, etc.
If the program is vulnerable to overflows, a lack of input checks, or
lacks proper encryption, it will quickly become known for its
instability, and product sales will drop dramatically. Customers will
purchase alternate products that perform the same task and that have
been carefully checked by multiple tests. Thus, as more and more vital
data is stored in web applications, and the number of transactions on
the web increases, proper and robust security testing of web
applications is becoming very important. Web application security
testing is the process of determining if
confidential data stays confidential, i.e.
it is not exposed to individuals/entities for which it is not intended -
this is enabled through specialized testing techniques like web
application penetration testing - and users can perform only those tasks
they are authorized to perform, e.g. a user should not be able to deny
the functionality of the web site to other users nor be able to change
the functionality of the web application in an unintended way. Hence,
web application security and stability cannot be limited to the testing
phase only, but must be a consistent and persistent endeavor right from
the design phase itself.
