A primer in software
security testing
Software security is a hot topic. Users are                           ...


 SELECT FirstName, LastName, Balance            By limiting the resources for a program the             We ca...

Further reading and references

 1. - Why security bugs are dif...
Upcoming SlideShare
Loading in …5

9-10-11-12 A primer in sftwre Security (A)


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

9-10-11-12 A primer in sftwre Security (A)

  1. 1. COVERSTORY A primer in software security testing Software security is a hot topic. Users are differs from functional testing as it concen- trates on finding things that shouldn't occur, losing their trust in software, especially when but do! [1] Some aspects of security testing need their machines are foreign beasts requiring advanced bit-twiddling skills, however there's plenty of scope for finding and pre- continuous updates from multiple sources. venting most security bugs without technical skills. For instance threat-model- ling finds about 50% of security bugs according to Microsoft's Michael Howard [2] and it can be performed without technical skills. Threat-modelling can, and should, be performed early in the software development life cycle (SDLC), which helps us to prevent, or mitigate against, security bugs being created in the code. Security testing as a full SDLC activity Penetration testing [3], while popular and necessary, is only practical once the Julian Harty software has been written and installed. Intended Working Actual of Commercetest Functionality Code Functionality Security testing should start from the beginning of the SDLC, and needs to consider the security requirements for the software and data from inception until after About the author the system has been decommissioned. For Julian is passionate about helping people to instance hard drives have been sold on deliver reliable, fast systems that work. Over the eBay that contained confidential and Functional Security sensitive data. Threat modelling should last 18 years he has managed and maintained Bugs Defects the performance of large-scale international have identified this as a risk and the online systems, and held roles including Reproduced from Security Innovation, with permission company should have had procedures in management of test and development teams. Fig.1 What's different about security testing? place that ensured such data was securely A special area of interest is to help improve As an industry we realise software needs erased before the system was testers' skills. Julian runs Commercetest, to become more secure, but currently few decommissioned. a company he founded in 1999 of us are able to do meaningful security testing. This needs to change, and this Security testing techniques article will help you to get started by pro- So what sort of things can we do to test viding practical advice on security testing. security? There are plenty of useful security testing techniques that help to trap security Why is security testing different / bugs. I will introduce various ones here, and difficult? Figure 2 shows where they fit in the SDLC. Security testing sounds difficult, the preserve of translucent geeks who hack Threat modelling remote computer systems for the perverse Here we create models of the threats that fun of it, and little to do with average folk violate the security constraints of a system who have day jobs. Why do we think it's and use these models to prevent or mitigate hard? Figure 1 shows that security testing against those threats from affecting the PT-magazine 9
  2. 2. COVERSTORY Data mutation Threat modelling may extend into later stages of the SDLC Michael Howard and David LeBlanc provide a great description of data mutation and Threat Modelling '19 attacks' explain how it can be used to attack Code Reviews software. They have identified 25 classes of Penetration Testing Data Mutation mutation, which are grouped into 5 Functional Test Techniques categories, as shown in Figure 3. Shipping/Maintenance Phase Using special characters for SQL Test Phase Injection Development Phase We can test for SQL Injection vulnerabilities Design Phase by using a combination of the special characters identified in the data mutation Concept Design Test Plans Code Complete Complete Complete techniques. SQL is generally used to interrogate database servers: quotes are Security testing techniques through the Software Development Life Cycle (SDLC) used around text values (Cpq), a semi- Based on ideas from Microsoft's Security Development Process colon indicates the end of a command Fig. 2 Security-testing techniques through the SDLC (Cpm), and the -- escape sequence is the start of a comment in the code (Cpm). system. There are several useful modelling manually to see if the flaw is a real Hackers quickly learnt they could modify techniques: vulnerability. Those that are need to be add- and subvert the intended SQL by using a 1. Anti-goals: championed by Axel van ressed, the rest are called false positives combination of these special characters, for Lamsweerde, a professor at Université and effectively reduce the effectiveness of instance to change: Catholique de Louvain in Belgium. The the tool because they distract the reader model is rigorous; the material requires from real problems and take time to SELECT FirstName, LastName, Balance thought; however the ideas and concepts investigate. FROM Account are worth learning and adapting to suit There are both free and commercial code WHERE Login = 'UserLogin' AND your needs [4]. review tools available. For instance, Password = 'UserPassword' 2. Misuse cases: created by Guttorm Sindre offers both RATS and Andreas Opdahl, in 2000, and (free) and CodeAssure (commercial). into: enhanced by Ian Alexander, 2001, these adapt the popular 'use cases' from UML Valid + invalid (Cv) to model attackers. Note that a similar Random (Cr) Null (Cn) model called abuse cases has been Wrong type (Ct) Zero (Cz) around since 1999 [5]. Meta (Cpm) Wrong sign (Cs) Out of bounds (C0) Script (Cps) 3. STRIDE: Microsoft's mnemonic that Escaped (Cpe) helps drive test techniques. A number of HTML (Cph) Replay (Nr) Special references are available including “Writing Contents Quotes (Cpq) characters Secure Code 2nd edition” [6]. Slashes (Cpl) Out-of-sync (No) Code reviews Link (Ol) High Volume Many security bugs can be found by (Nh) Security checking the source code, the process of Data data mutation Contents Name (On) Applies to doing so is called a code review. Code on-the-wire techniques data reviews can be performed by people, Does not software tools, or a combination of both. No access (Oa) exist (Od) The people need solid programming skills Restricted access (Or) Exists (Oe) to be able to understand what the code Size does and to be able to find flaws in that code. Often the reviewers will be Long (Ll) Zero length (Lz) competent (ex-) programmers. Software Short (Ls) tools scan the code quickly and try to identify patterns that indicate possible reproduced from Writing Secure Code 2nd edition, with permission from author flaws. Each flaw can then be checked Fig. 3 Techniques to perturb applications to reveal security vulnerabilities and reliability bugs 10 PT-magazine
  3. 3. COVERSTORY SELECT FirstName, LastName, Balance By limiting the resources for a program the We can also use virtual machine FROM Account program may leak sensitive information, for emulators to expand the number of WHERE Login = '' OR 1=1; -- ' AND example, to a temporary swap file, or systems we can test against, while at the Password = 'UserPassword' otherwise untested, buggy, error handlers same time limiting our attacks to the may be invoked. physical machine we're using. Figure 4 where ' OR 1=1; -- has been entered in the contains four virtual machines on the right: UserLogin input field. The single quote Penetration testing ranging from an unpatched version of closes the immediately preceding open Penetration testing is an established Windows 2000 Server, patched, and later quote, the OR 1=1 is always true which process where software is tested for known versions of Windows Servers, and a Linux means the WHERE clause is true, and the vulnerabilities to find out whether these, or server running the open source Tomcat -- characters comment out the remaining similar vulnerabilities can be exploited. web server. code. This hack subverts the test for a valid Virtual machines are easy to create and username and password and causes the Getting started configure. Once they are ready you can run database to return all the rows from the The best place to start security testing is one or more simultaneously and try to do database table. somewhere we feel safe and secure, where your worst to attack them. At the end of our mistakes will go unobserved and where your attack you can choose whether to Functional testing techniques any damage is limited. Luckily there are a save the attacked, and possibly damaged, Fifteen years ago Boris Beizer wrote in the number of useful free and commercial virtual server, or simply don't save the second edition of 'Software Testing applications that can help us. changes and start again. Techniques' [7] “They [malicious users] are For instance the OWASP web site [11] Popular virtual machines are available out to get you. Some of them are program- offers WebGoat, a pedagogic web site from Microsoft, for example Microsoft mers. They're persistent and systematic. where you can learn how to attack web Virtual PC [12] and from VMware [13]. …. And there are so many of them; so sites in various ways. The site includes There are a number of other commercial many of them and so few of us.” He then graded help that starts by giving you a clue, virtual machine programs available. explains how syntax-testing techniques and ends by giving detailed instructions on For personal security testing I use the help testers to find flaws in the validation how to find vulnerabilities. Experienced workstation versions of the respective logic for input fields, such as those we security testers might not need any help, products, as these are inexpensive and introduced in the SQL attack mentioned while folk new to security testing can sufficient for my testing needs. above. benefit from step-by-step instructions. I hope this brief article has encouraged you Security testers can and should use existing functional testing techniques as part of their security testing. For instance, Boundary Value Analysis (BVA) exercises the boundary between valid and invalid partitions, for example, can I order -5 items from your web site? What happens: do I receive a credit? Common functional techniques are available free from the W2K Server testing standards web site [8]. Manual Attacker 19 attacks W2K Server James Whittaker and Hugh Thompson SP4 produced an excellent and small book Attacks 'How to break software security' [9] that Automated W2K3 Server describes 19 attacks testers can use to Attacker(s) test the security of software. The advice is very practical and you can apply the Linux 9.0 attacks immediately. All 19 attacks are Tomcat Virtual Machines described briefly on their web site [10]. Here is Attack 5 as an example: - Force the application to operate in low memory, disk-space and network availability conditions. Fig. 4 Using virtual machines for security testing PT-magazine 11
  4. 4. COVERSTORY Further reading and references 1. - Why security bugs are different. 2. - Michael Howard's presentation where he mentions 50% of security bugs are found using threat analysis. 3. - explains penetration testing. 4. - Scientific paper on Anti-goals. 5. Material on misuse cases, etc. 6. Writing Secure Code, second edition; Michael Howard and David LeBlanc; 2003 Chapter 19 on security testing is particularly useful, so is the rest of the book! 7. Software Testing Techniques, Second Edition; Boris Beizer; 1990 Still available second-hand and one of the standard references on software testing. 8. - link to a document containing the common functional testing techniques. 9. How to Break Software Security; James Whittaker Herbert H. Thompson, 2004 a great, slim book with practical techniques for attacking software security. 10. - Introduction to the 19 attacks. 11. - great web site with free applications for web-based security testing, experimentation, and useful documents. 12. - Home page for Microsoft's Virtual PC product, includes a 45-day free trial. 13. - Home page for VMware's Workstation product. They offer a 30-day free trial. 14. - very useful whitepapers on SQL Injection and other security issues and domains. 15. - more stimulating whitepapers. to learn more about security testing, here are references that provide more information on the material introduced here Subscribe to Professional Tester Magazine