Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • FACTORS INFLUENCING SECURITY 1. End user satisfaction 2. Financial impact in the event of a breach 3. Business reputation 4. Compliance and Regulatory requirements 5. Insider threats
  • 6 to 8 seconds for a dynamic sites.
  • Application Security Drivers - 1. Adoption of Internet for business and e-commerce activities 2. Advent of new technologies AJAX, SOA etc 3. Development and Operations teams Skillset 4. Outsourcing, software is no longer built inhouse 5. Diversity in application types 6. Usage of readymade application frameworks
  • Confidential
  • Confidential
  • STEVE ORRIN: All of this should lead you to demand better application security. But, if you still need more facts, lets review some more data points: Web application attacks are now more frequent. In Q1 2002, Sanctum found serious security defects in applications in 100% of the commercial sites we audited; The attacks are more expensive to recover from. Costs to patch are high, and the cost of a lost reputation is impossible to quantify. The attacks are more pervasive. A F50 Sanctum customer found serious security defects in over 700 of its deployed applications Finally, the attacks are growing more dangerous, and they usually go undetected. When we look closer at what was actually able to be manipulated on the sites we audited, it is quite scary. In 31% of the sites, full control and access was achieved. In 25% of the sites, privacy was breached, and in 3% of the sites, the entire site was able to be deleted. These are serious problems. Next slide
  • Security should be a process that should be implemented throughout the software development life cycle 1. A risk profile to determine the risk of an application to the organization. 2. Defining specific security requirements to use throughout the project. 3. A security design review 4. A security code review 5. A proper security test plan 6. A penetration test
  • Performance

    1. 1. Performance & Security Testing – Critical today in the Indian Testing Industry
    2. 2. Agenda <ul><li>Performance - Issues & Costs </li></ul><ul><li>Leveraging Performance Management </li></ul><ul><li>What AppLabs Offers </li></ul>
    3. 3. Performance - Issues & Costs
    4. 4. Corporate Performance Corporate performance is about Effort spent vs. Value generated Performance services are about Optimizing effort and maximizing value Performance concerns are about Technology Business Users Performance is propelled by Stability Scalability Speed Performance management is central to corporate performance Bottom-line is
    5. 5. Factors influencing Security
    6. 6. Should Performance be an Issue? Dipping sales Diminishing subscriptions Dipping advertisement revenues Direct costs of fixing errors Compensatory claims Outsourcing costs Performance failures reduce revenues Performance failures increases expenses Squeezing ROI Anything that adversely impacts ROI is an issue – Performance is an issue
    7. 7. Performance Failure Risks Resolution time Cost implications Influence on end-User Extremely high Performance issues Infrastructure/ bandwidth bottlenecks Crashes & breaches High response time Under/Over utilization of resources Downtimes Post production problem resolution Very high High
    8. 8. Security Failure Risks Resolution time Cost implications Influence on end-User Extremely high Security issues Information Loss or Theft Breaches Un authorized access Compliance Downtimes Post production problem resolution Very high High
    9. 9. Performance failures – How real are the risks?
    10. 10. Case of a Public Sector Agency <ul><li>The Identity and Passport Service (IPS), a UK government agency went live with its electronic passport application system (EPA2) </li></ul><ul><li>Problem: Performance issues jammed the system building up application backlogs </li></ul><ul><li>Reason: Low weight age placed on the system performance while going live </li></ul><ul><li>Costs: </li></ul><ul><ul><li>IPS had written off £5.5m of software development costs </li></ul></ul><ul><ul><li>Outsourcing service costs shot up from £48.9m in 2005-06 to £86.6m in 2006-07 </li></ul></ul><ul><li>Post debacle measures: IPS is doubling the time for User Acceptance Testing </li></ul>Source: Compterworld
    11. 11. Case of an ISV <ul><li>The Independent Software Vendor (ISV) deployed an application to support end-user technology for a telecommunications service provider </li></ul><ul><li>Problem: Server crash, service request refusals, connection drops and slow response of application during peak hours </li></ul><ul><li>Reasons: Low weightage placed on the system performance while going live, improper server configuration, underutilized server resources </li></ul><ul><li>Costs: </li></ul><ul><ul><ul><li>Business implications – loss of sales, subscriptions and revenues </li></ul></ul></ul><ul><ul><ul><li>Outsourcing service costs for performance testing </li></ul></ul></ul><ul><li>Post debacle measures: </li></ul><ul><ul><li>Performance testing was outsourced </li></ul></ul><ul><ul><ul><li>Root-cause analysis to address connection drop issues </li></ul></ul></ul><ul><ul><ul><li>Resolution of the server level performance of the application </li></ul></ul></ul><ul><ul><ul><li>Monitoring for CPU, Memory, Network, and Database performance </li></ul></ul></ul>
    12. 12. User’s View on Response Times Response time User’s view <1 Second User feels that the system is reacting instantaneously < 2 Seconds User experiences a slight delay but is still focused on the website < 5 to 6 Seconds (Static Web sites) Maximum time a user focuses on a web site, reaches the distract zone <6 to 8 Seconds (Dynamic Web sites) Maximum time a user focuses on a web site, reaches the distract zone > 10 Seconds User is most likely to be distracted from the website and looses interest
    13. 13. <ul><li>Privilege escalation </li></ul><ul><ul><li>Successfully exploiting this vulnerability could result in an agent obtaining access to another agents customers’ details </li></ul></ul><ul><li>Authentication </li></ul><ul><ul><li>Attackers can access the application by guessing or brute force if there is no proper authentication management built in </li></ul></ul><ul><ul><li>SSO (Single Sign On) applications pose high risks </li></ul></ul><ul><li>Injection flaws </li></ul><ul><ul><li>Each form used for the application may/may not be validated for expected input </li></ul></ul><ul><ul><li>Improper input validation can result in attacks </li></ul></ul><ul><ul><ul><li>Cross Site Scripting, SQL injection, HTTP response splitting and Cross Site Request Forgery </li></ul></ul></ul><ul><li>Obsolete/unnecessary services </li></ul><ul><ul><li>Can be exploited easily </li></ul></ul><ul><li>Configuration Management </li></ul><ul><ul><li>Needs to reviewed to ensure that there is no risk </li></ul></ul>Security Risks Common security risks in web applications
    14. 14. What Impedes Performance Management <ul><li>Perception that a powerful processor can resolve client server performance issues </li></ul><ul><li>Absence of scientific approach - No real-time metrics to measure performance </li></ul><ul><li>Performance testing still an outsider in SDLC and is always a last–minute activity </li></ul><ul><li>Managing performance testing with inferior tools and lack of resource allocation </li></ul><ul><li>Apathy towards training manpower to manage performance testing </li></ul><ul><li>Lack of exposure to best of breed services </li></ul>Lack of holistic view to Performance Management
    15. 15. What Impedes Security Management <ul><li>Perception that the network is safe with sufficient controls like firewall, antivirus, antispam, IDS/IPS </li></ul><ul><li>Absence of scientific approach - No real-time metrics to measure security </li></ul><ul><li>Security testing still an outsider in SDLC and is always a last–minute activity </li></ul><ul><li>Managing security testing with inferior tools and lack of resource allocation </li></ul><ul><li>Apathy towards training manpower to manage security testing </li></ul><ul><li>Lack of exposure to best of breed services </li></ul>Lack of holistic view to Security Management
    16. 16. Why Security testing? <ul><li>Web applications vulnerabilities should be identified, assessed and addressed as part of the overall Enterprise Risk Assessment Program </li></ul><ul><li>Expenditure on Recovery and Fixes – In addition to making an enterprise non-complaint, security issues cost a bomb, which includes data recovery, fixes and legal issues. </li></ul><ul><li>Regulatory and Legal Issues - Enterprises face enormous challenges trying to comply with a wide variety of regulatory issues. Security breaches will potentially put an enterprise in a never-ending legal battle. </li></ul><ul><li>Significantly reduce risks of information leakage and loss. </li></ul><ul><li>Enhanced ROI in the long run. </li></ul><ul><li>Avoid Network Downtime costs. </li></ul><ul><li>Supports and complements security policy </li></ul><ul><li>Aids in taking proactive protection measures </li></ul><ul><li>Avoid erosion of corporate goodwill and customer loyalty. </li></ul><ul><li>Gain an edge over competition. </li></ul><ul><li>Make the upper management “Security aware”. </li></ul>
    17. 17. Drivers for Performance Management <ul><ul><li>Business Drivers </li></ul></ul><ul><ul><li>Rising usage of internet </li></ul></ul><ul><ul><li>Business growth increasing in relatively shorter periods of time </li></ul></ul><ul><ul><li>Explosion of E-Business applications across industries </li></ul></ul><ul><ul><ul><li>Stock trading </li></ul></ul></ul><ul><ul><ul><li>Insurance services </li></ul></ul></ul><ul><ul><ul><li>Ticket reservations </li></ul></ul></ul><ul><ul><ul><li>Retail purchases </li></ul></ul></ul><ul><ul><li>Unexpected spikes in load </li></ul></ul><ul><ul><li>Better performance for better ROI </li></ul></ul>Industry is now proactive for Performance Management in IT Driving forces for Performance Management <ul><ul><li>Technology Drivers </li></ul></ul><ul><ul><li>Complexity of Internet applications </li></ul></ul><ul><ul><li>Scalability of applications </li></ul></ul><ul><ul><li>Cross platform compatibility issues </li></ul></ul><ul><ul><li>Globalization of applications </li></ul></ul><ul><ul><li>SOA based implementations </li></ul></ul>
    18. 18. Application Security Drivers <ul><li>Internet Emergence </li></ul><ul><li>Evolution of new technologies </li></ul><ul><li>Use of Frameworks </li></ul><ul><li>Diversity in Application types </li></ul><ul><li>Outsourcing </li></ul><ul><li>Skill set </li></ul>
    19. 19. Drivers for the Indian Market <ul><li>Active internet users in India reaches 32 million and is growing at 35-40% </li></ul><ul><li>PC-based internet access and mobile-based internet access are driving the growth of E-Commerce industry </li></ul><ul><li>Online payment systems are getting safer leading to online shopping from smaller cities to rise </li></ul><ul><li>Web based software systems are getting popular and pervasive across verticals </li></ul><ul><li>Online sales peak during the festive seasons and occasions like valentines day, new year, friendship day etc. Younger generations prefer buying and sending gifts online </li></ul>Exponential growth in E-Commerce makes performance management a key winning factor Source: Internet and Mobile Association of India (IAMAI)
    20. 20. <ul><li>Digital Downloads </li></ul><ul><li>Rise in mobile subscribers & digital downloads </li></ul><ul><li>New download facilities - ring tones, games, music etc. </li></ul><ul><li>Travel industry </li></ul><ul><li>Increase in the number of travelers & travels per traveler </li></ul><ul><li>Annual growth in the number of travelers is expected to increase five-fold, from 300,000 to 1.5 million </li></ul><ul><li>eTailing </li></ul><ul><li>Expected to rise by 30% </li></ul><ul><li>Physical cost elimination is giving buyers & sellers best deals </li></ul><ul><li>Competition is forcing down the value of online products while the number of online transactions is continuously rising </li></ul><ul><li>Online Classifieds </li></ul><ul><li>Users have access to large databases </li></ul><ul><li>Rise in sales of exclusive videos, research data, reports </li></ul>Indian E-Commerce Market Source: Internet and Mobile Association of India (IAMAI) Indian B2C E-Commerce industry 2007-2008 (estimate) - INR 9210 cr. Indian B2C E-Commerce industry is expected to grow at 30%
    21. 21. Industry Trends & Facts Key survey findings: Source: CSI Survey 2007; The 12th Annual Computer Crime and Security Survey <ul><li>The average annual loss reported in 2007 shot up to $350,424 from $168,000 the previous year (2006). </li></ul><ul><li>18% of the respondents suffered a “targeted attack” ; defined as a malware attack aimed exclusively at their organization </li></ul><ul><li>Financial fraud overtook virus attacks as the source of the greatest financial losses. </li></ul><ul><li>Virus attacks moved to second place: first time in the last seven years </li></ul>
    22. 22. Security Attacks – Industry Data Financial Fraud has overtaken Virus – This has happened for the first time
    23. 23. Financial services, though certainly keepers of great monetary assets, are also typically well protected in comparison to other industries; they account for 14 percent of breaches. The type of asset compromised most frequently is without doubt online data. Compromises to online data repositories were seen in more cases than all other asset classes combined by a ratio of nearly five to one. Security Breaches – Industry Data
    24. 24. Why Application Security Defects Matter <ul><li>Frequent </li></ul><ul><ul><li>3 out of 4 business websites are vulnerable to attack (Gartner) </li></ul></ul><ul><li>Pervasive </li></ul><ul><ul><li>75% of hacks occur at the Application level (Gartner) </li></ul></ul><ul><li>Undetected </li></ul><ul><ul><li>QA testing tools not designed to detect security defects in applications </li></ul></ul><ul><ul><li>Manual patching - reactive, never ending, time consuming and expensive </li></ul></ul><ul><li>Dangerous </li></ul><ul><ul><li>When exploited, security defects destroy company value and customer trust </li></ul></ul>
    25. 25. Impact of Security Defects <ul><li>Bad Business </li></ul><ul><li>On average, there are 5 to 15 defects in every 1,000 lines of code </li></ul><ul><ul><li>US Dept. of Defense and the Software Engineering Institute </li></ul></ul><ul><li>Slow Business </li></ul><ul><li>It takes 75 minutes on average to track down one defect. Fixing one of these defects takes 2 to 9 hours each </li></ul><ul><ul><li>5 Year Pentagon Study </li></ul></ul><ul><li>Researching each of the 4,200 vulnerabilities published by CERT last year for 10 minutes would have required 1 staffer to research for 17.5 full workweeks or 700 hours </li></ul><ul><ul><li>Intel White paper, CERT, ICSA Labs </li></ul></ul><ul><li>Loss of Business </li></ul><ul><li>A company with 1,000 servers can spend $300,000 to test & deploy a patch; most companies deploy several patches a week </li></ul><ul><ul><li>Gartner Group </li></ul></ul>
    26. 26. Industry Views <ul><li>Gartner predictions </li></ul><ul><li>SOA implementation to increase application failure due to unplanned downtimes to 60% by 2010 </li></ul><ul><li>SOA applications require performance management for end-to-end performance and capacity planning for demand fluctuations </li></ul><ul><li>Forrester views </li></ul><ul><li>It costs less to correct capacity and performance issues before deployment </li></ul><ul><li>Production-like environment for performance testing is critical to address the threat to the production environment </li></ul><ul><li>Aberdeen best-in-class performance criteria include </li></ul><ul><li>Reduced time-to-information and time-to-decision/ action </li></ul><ul><li>Customer satisfaction relating to speed, accuracy, data access and availability for end-users </li></ul><ul><li>Customer retention </li></ul><ul><li>Testing Market </li></ul><ul><li>Global software testing market is $13 billion (IDC) </li></ul><ul><li>Outsourced testing services market is approximately $6.1 billion (Dataquest) </li></ul><ul><li>Global market opportunity for Indian software testing companies to reach $8 billion by 2010 (Gartner) </li></ul><ul><li>The requirement for software testing professionals in India is estimated to reach 2 lakh by 2010 (CIOL) </li></ul>
    27. 27. Leveraging Performance Management
    28. 28. Performance is Integral for Quality Locates and fixes errors in an operational program. Product meets specifications and fulfills user’s objectives. Product has access to required software or data Product performs its intended function with required precision. Product performs with optimum use of resources Product performs its intended function for intended number of users Product couples well with another system(s) Correctness Reliability Efficiency Integrity Maintainability Testability Interoperability Performance management ensures quality product
    29. 29. When to start Security Testing Security should be a process that should be implemented throughout the software development life cycle
    30. 30. Application Readiness for Security Testing <ul><li>Targeted features implemented </li></ul><ul><li>Functionality Testing is complete </li></ul><ul><li>Environment replicates production </li></ul><ul><li>Hardening is complete </li></ul>
    31. 31. When to Start Performance Testing <ul><li>Timely performance testing reduces the cost and effort </li></ul>Pre-production Stage Test Driven Approach Post-Production Monitoring <ul><li>Scalability issues of the core system </li></ul><ul><li>Optimization of code & configurations </li></ul><ul><li>Hardware sizing & benchmark for target loads </li></ul><ul><li>Infrastructure/ network/ hardware level changes </li></ul><ul><li>Improvement in response times </li></ul><ul><li>Peace of mind </li></ul><ul><li>Further optimization of code & configurations </li></ul><ul><li>Application level bottlenecks </li></ul><ul><li>Configuration changes </li></ul>Benefits increase as performance testing spreads across the stages Cost/ Effort Benefits
    32. 32. Moving Ahead with Performance <ul><li>Product functionality will soon be a worn-out strategy for differentiation </li></ul><ul><li>Performance cannot be ensured in isolation </li></ul><ul><li>Performance will be the buzz word to gain competitive edge </li></ul><ul><li>Resolving enterprise level performance issues demands clear communication within IT groups – managers, developers, testers, operations team, database administrators and network administrators </li></ul><ul><li>Communication should be on test agendas; performance data, performance results, application upgrades become critical </li></ul><ul><li>Performance management optimizes resources </li></ul><ul><li>Automation aids in faster problems identification and resolution </li></ul><ul><li>Tight IT budgets may not warrant new hardware purchases </li></ul><ul><li>Performance cannot be taken as a final step in SDLC </li></ul><ul><li>Performance criteria will be part of design principles even prior to development </li></ul><ul><li>Scalability testing should cover each component and at every application layer before final integration </li></ul>
    33. 33. Moving Ahead with Performance <ul><li>Thinking ahead helps </li></ul><ul><li>End-user experience is not all </li></ul><ul><li>Faster response time is essential but there’s more to it </li></ul><ul><li>Know your historic traffic numbers and stress the application 3-4 times that load/ future expected load </li></ul><ul><li>Stress test for peak loads – new product launch, promotional offers, seasonal offers etc. </li></ul><ul><li>Checking further into the system for critical performance bottlenecks may avoid server crashes only few days after production </li></ul><ul><li>Data integrity is a must. Delivering irrelevant/ erroneous data is more damaging than slow response times </li></ul><ul><li>In an agile test approach where testing moves into the SDLC, changes become timely and affordable </li></ul><ul><li>Economize testing especially scalability, by sharing test resources </li></ul><ul><li>It is about time and cost </li></ul>
    34. 34. Third-Party Solution Providers <ul><li>Better equipped with the hardware and software resources required for peak load testing </li></ul><ul><li>Interpreting performance data is not easy nor is the prescription of solutions for the same </li></ul><ul><li>Testing can be done remotely at low-costs </li></ul><ul><li>Have the expertise to test with an internationalization perspective as companies need to provide global access to their web applications </li></ul><ul><li>Load generation from across the globe </li></ul><ul><li>Risk reduction by simulating concurrent internet users as realistically as possible </li></ul><ul><li>External solution providers complement the internal performance management effectively </li></ul>The question is not whether performance is tested, but how well it is being done.
    35. 35. AppLabs Performance Services
    36. 36. AppLabs Offerings Performance Testing Tools Expertise Technology Expertise Testing Expertise <ul><li>Databases: Oracle, SQL Server, Sybase, PostGreSOL </li></ul><ul><li>OS: Solaris, OS/400, AIX, Linux, NT, Windows, HP VMS, HP Unix, MVS </li></ul><ul><li>Operations Support: BEA WebLogic, IBM WebSphere, IIS, Apache Tomcat, iPlanet </li></ul><ul><li>J2EE, .NET technologies </li></ul><ul><li>Web, client-server </li></ul><ul><li>Streaming media </li></ul><ul><li>Hardware devices </li></ul><ul><li>Wireless apps </li></ul><ul><li>AppMeter (AppLabs) </li></ul><ul><li>WebLoad (RadView) </li></ul><ul><li>LoadRunner (HP/Mercury) </li></ul><ul><li>Silk Performer (Borland) </li></ul><ul><li>QA load (Compuware) </li></ul>AppLabs CoE <ul><li>Core testing </li></ul><ul><li>Performance </li></ul><ul><li>Security </li></ul><ul><li>Tools & Automation </li></ul><ul><li>Consulting </li></ul>
    37. 37. Case Study – Retail <ul><li>Business Challenge </li></ul><ul><ul><li>To ascertain the impact of a security breach on their application, Pantaloon engaged AppLabs to carry out Web Application Penetration Testing on the servers exposed to the Internet. </li></ul></ul><ul><li>Solution </li></ul><ul><ul><li>Comprehensive application security checks were conducted to establish the applications susceptibility to hack attacks. </li></ul></ul><ul><ul><li>This phase complied with Open Web Application Security Project standards and vulnerabilities identified through research by AppLabs’ Security Center of Excellence. </li></ul></ul><ul><ul><li>These tests were run using a combination of automated and manual test tools. </li></ul></ul><ul><ul><li>The engagement concluded with the delivery of a comprehensive assessment report with severity ratings for the vulnerabilities, alongside detailed descriptions and recommendations on how to address them. </li></ul></ul>
    38. 38. Case Study – Retail <ul><li>Key Benefits </li></ul><ul><ul><li>The intense level of security testing performed aided the client in maintaining information integrity and confidentiality of such sensitive information; </li></ul></ul><ul><ul><li>The test results supported the client in understanding business and technical risks to help fortify the security policy; </li></ul></ul><ul><ul><li>In working with an independent testing organization, the client’s customers would be more confident that the web site is secure and online transactions are safe – providing it with a differentiator in the market; </li></ul></ul><ul><ul><li>Implementation of the prioritized action plan which detailed the timelines to fix the different severity level vulnerabilities has enhanced the overall security posture of the application. </li></ul></ul>
    39. 39. Case study – Financial Services <ul><li>Client: Leading service provider for financial services, and has launched a trading application </li></ul><ul><li>Business challenge : </li></ul><ul><li>Testing the trading application for stability with a load of 10,000 concurrent users </li></ul><ul><li>Ensure the site responds to all users with minimal response time and optimal server utilization </li></ul><ul><li>Solution: </li></ul><ul><li>Tested for receiving ticker responses from ticker plant servers </li></ul><ul><li>Constructed scripts using ideal mix of loads </li></ul><ul><li>Highlighted under-configuration </li></ul><ul><li>Identified uneven resource utilization across web servers </li></ul><ul><li>Identified load balancer issues - load was not split across the servers leading to high response times at 5000 user load </li></ul><ul><li>Ensure scalability of the application for 10,000 concurrent users </li></ul><ul><li>Benefits: </li></ul><ul><li>Load balancer issues resolved by ideal server sizing for 10,000 users </li></ul><ul><li>Resolved server (IIS & SQL) related scalability and sustainability issues </li></ul><ul><li>Benchmark results for “Orders per second” achievable for 10,000 concurrent users was provided </li></ul>
    40. 40. Case study – Consumer Product <ul><li>Client: India's largest consumer products company, migrating its consumer products warehousing management (MFG PRO) to SAP </li></ul><ul><li>Business challenge : </li></ul><ul><li>Check the sustenance of hardware capacity with the load of 60 depots configurations from the existing 2 depots </li></ul><ul><li>Identify scalability of the server capacity for database and application servers of SAP for 60 depots </li></ul><ul><li>Solution: </li></ul><ul><li>Monitored the SAP implementation - server setup for performance; capacity utilization for the current loads (existing 2 warehouses) </li></ul><ul><li>Developed a formula based on number of users from each depot, connection speed from VSAT to dial-up, load generated from the existing depots in terms of throughput and overhead </li></ul><ul><li>Provided the formula for visualized utilization in case of adding 58 more depots </li></ul><ul><li>Benefits: </li></ul><ul><li>Hardware resizing for the SAP implementation roll out in 60 warehouses </li></ul><ul><li>Capacity formula & capacity report based on the analysis of the current implementation </li></ul>