Uploaded byISsoft
PPT, PDF1,572 views

Security Testing

This document discusses the importance of security testing. It defines key security concepts like confidentiality, integrity, and availability. It describes common security testing methods like vulnerability scanning and penetration testing. It also provides examples of specific vulnerabilities like SQL injection, cross-site scripting, and social engineering attacks. The document seeks to demonstrate why organizations should invest in security testing now rather than just responding to attacks after they occur.

Embed presentation

Downloaded 99 times
Security testing prepared by Tatiana Semenchenko Minsk 2013
Why invest in testing now instead of just responding to an attack after it happens?
Negatively impacts by an attack: Loss of customer confidence Harm to your brand Disturbance to your online means of revenue collection Web-site downtime, time loss and expenditures in repairing damage done (reinstalling services, restoring from backups) Cost associated with securing web applications against future attacks Related legal fees and implications for having such lax security measures in place
Security testing Security testing is a process to determine that an information system protects data and maintains functionality as intended.
Purposes of security testing Finding out loopholes that can cause loss of important information and allow any intruder enter into the system. Improving the current system and also ensuring that the system will work for longer time. Ensuring that people in your organization understand and obey security policies.
Security Concepts Confidentiality – not public access Authentication – passwords Authorization – permissions Integrity – no unwilled changes Availability – any time as need Non-repudiation – recipient cannot deny having received the message
Main definitions: Threat: "A potential violation of security" - ISO 7498-2 Impact: consequences for an organization or environment when an attack is realized, or weakness is present. Attack: a well-defined set of actions that, if successful, would result in either damage to an asset, or undesirable operation. Vulnerability: is a weakness which allows an attacker to reduce a system's information assurance. Weakness: a type of mistake in software that, in proper conditions, could contribute to the introduction of vulnerabilities within that software.
National Vulnerabilities Database CVE (Common Vulnerabilities and Exposures) http://nvd.nist.gov /
Vulnerabilities Classification by SDLC Phase SDLC (Software Development Life Cycle) Phase of SDLC Categories of Vulnerabilities Example Designing Design vulnerabilities TCP/IP vulnerabilities Implementation Implementation vulnerabilities buffer overflow Operation Configuration vulnerabilities Password less then 6 symbols
SQL Injection SQL injection is a code injection technique, mostly known as an attack vector for websites but can be used to attack any type of SQL database.
SQL Injection (continuance) Attacker can login without entering ‘password’.
Сross Site Sсriрting Cross-site scripting (XSS) enables attackers to inject client-side script into Web pages viewed by other users. Non-Persistent XSS Attack Attack requires a user to visit the specially crafted link by the attacker. When the user visit the link, the crafted code will get executed by the user’s browser. Persistent XSS Attack Code injected by the attacker will be stored in a secondary storage device (mostly on a database). The damage caused by Persistent attack is more than the non-persistent attack.
Example 1 of CSS <html> <body> <h1>New Job Posting</h1> <h2> Job Description</h2> <hr/> Secure Web Developer Needed <body> <html> --------------------------------------------<html> <body> <h1>New Job Posting</h1> <h2> Job Description</h2> <hr/> Secure Web Developer Needed <script>/*something evil*/</script> <body> <html>
Example 2 of CSS <script>alert()</script> Overlay the Login screen with their own, allowing attacks to harvest Usernames and Passwords.
Social Engineering Social Engineering is a psychological manipulation of people into performing actions or divulging confidential information. Phishing is a social engineering technique of fraudulently obtaining private information. What to look for in a phishing email Generic greeting Forged link (for ex. http instead of https) Requests personal information Sense of urgency
Vulnerabilities 2011-2012
Specific vulnerabilities for websites on different programming languages 2011-2012 PHP ASP.NET JAVA Cross-Site Request Forgery 73 % 35 % 35 % SQL Injection 61 % 22 % - Cross-Site Scripting 43 % 39 % - Insufficient Anti-Automation 42 % 35 % - Path Traversal 42% - Application Misconfiguration - 17 % 29 % Insufficient Authorization - - 41 % Insufficient Authentication - - 29 % OS Commanding - - 29 %
Vulnerabilities 2011-2012
Security testing cycle Risk assessment - creating a threat model Security auditing - using the threat model to probe the system design Vulnerability scanning - using software to probe the system implementation. Penetration testing - trying to hack into the system, either externally or internally. Operational testing - some or all of the above after the system is in production.
Vulnerability scanning Network Scanning Software identifies weak networking device settings (e.g., vulnerable ports left open, default passwords) Web Application Scanning software identifies weak web application settings, failure to implement patches to known web application vulnerabilities etc. Database Scanning Software identifies similar weaknesses in database management systems and database applications. One list of Scanning Software and Vendors can be found at: http://www.timberlinetechnologies.com/products/vulnerability.html
Penetration testing Network Outside (Internet) / Inside (Intranet) Information for tester Black-box / White-box Information for Staff Black Hat / White Hat Cпециальное ПО — программы, реализующие обнаруженные уязвимости, т. н. «эксплойты». Metasploit Framework - распространенный программный продукт c открытым исходным кодом. http://www.metasploit.com/
Fuzzing Fuzz testing or fuzzing is a software testing technique, often automated or semiautomated, that involves providing invalid, unexpected, or random data to the inputs of a computer program. Can be useful in generating data for Code-Injections.
‘Security Test Plan’ A security evaluation should be performed for the software. Security requirements should be established for the software development and/or operations and maintenance (O&M) processes. Each software review, or audit should include an evaluation of the security requirements. A configuration management and corrective action process is in place to provide security for the existing software. Any proposed changes should do not inadvertently create security violations or vulnerabilities. Physical security for the software should be adequate.
Check List for Security testing • • • 1. Try to directly access bookmarked web page without login to the system. 2. Verify that system should restrict you to download the file without sign in on the system. 3. Verify that previous accessed pages should not accessible after log out i.e. Sign out and then press the Back button to access the page accessed before. • 4. Check the valid and invalid passwords, password rules say cannot be less than 6 characters, user id and password cannot be the same etc. • 5. Verified that important i.e. sensitive information such as passwords, ID numbers, credit card numbers, etc should not get displayed in the input box when typing. They should be encrypted and in asterix format. • 6 .Check Is bookmarking disabled on secure pages? Bookmarking Should be disabled on secure pages. • 7. Check Is Right Click, View, Source disabled? Source code should not be visible to user. • 8. Is there an alternative way to access secure pages for browsers under version 3.0, since SSL is not compatible with those browsers? • 9. Check does your server lock out an individual who has tried to access your site multiple times with invalid login/password information? • 10. Verify the timeout condition, after timeout user should not able to navigate through the site. • 11. Check Are you prevented from doing direct searches by editing content in the URL? • 12. Verify that relevant information should be written to the log files and that information should be traceable. • 13. In SSL verify that the encryption is done correctly and check the integrity of the information. • 14. Verify that restricted page should not be accessible by user after session time out. • 15. ID / password authentication, the same account on different machines cannot log on at the same time. So at a time only one user can login to the system with a user id. • 16. ID / password authentication methods entered the wrong password several times and check if the account gets locked. • 17. Add or modify important information (passwords, ID numbers, credit card number, etc.). Check if it gets reflected immediately or caching the old values. • 18. Verify that Error Message does not contain malicious info so that hacker will use this information to hack web site. http://tfortesting.wordpress.com/category/scecurity-testing/
Security testing Security testing is a process to determine that an information system protects data and maintains functionality as intended. Main security concepts: Confidentiality Integrity Availability Main security testing methods: Vulnerability scanning Penetration testing
Links: 1. http://www.securitylab.ru/blog/personal/evteev/30927.php 2. http://www.fiddlerontheroot.com/why-its-important 3. http://en.wikipedia.org/wiki/Software_security_assurance 4. http://www.phishtank.com/what_is_phishing.php 5. http://www.youtube.com/watch?v=1eQd7GCOpp4 6. http://www.altoros.com/security_and_load_testing.html 7. http://cwe.mitre.org/documents/glossary/index.html#Weakness
Security Testing

More Related Content

PPTX
Security testing
byKhizra Sammad
 
PDF
Security testing presentation
byConfiz
 
PPTX
Security testing
byRihab Chebbah
 
PDF
The Complete Web Application Security Testing Checklist
byCigital
 
PPTX
Security Testing for Web Application
byPrecise Testing Solution
 
PPT
Step by step guide for web application security testing
byAvyaan, Web Security Company in India
 
PDF
Security-testing presentation
byEzhilan Elangovan (Eril)
 
PPTX
Explore Security Testing
byshwetaupadhyay
 
Security testing
byKhizra Sammad
 
Security testing presentation
byConfiz
 
Security testing
byRihab Chebbah
 
The Complete Web Application Security Testing Checklist
byCigital
 
Security Testing for Web Application
byPrecise Testing Solution
 
Step by step guide for web application security testing
byAvyaan, Web Security Company in India
 
Security-testing presentation
byEzhilan Elangovan (Eril)
 
Explore Security Testing
byshwetaupadhyay
 

What's hot

PPS
Security testing
byTabăra de Testare
 
PPT
Get Ready for Web Application Security Testing
byAlan Kan
 
PPTX
Owasp first5 presentation
byAshwini Paranjpe
 
PDF
Web Application Security and Awareness
byAbdul Rahman Sherzad
 
PDF
Testing Web Application Security
byTed Husted
 
PPTX
Introduction to security testing
byNagasahas DS
 
PPTX
Introduction to security testing raj
byRajakrishnan S, MCA,MBA,MA Phil,PMP,CSM,ISTQB-Test Mgr,ITIL
 
PDF
Oh, WASP! Security Essentials for Web Apps
byTechWell
 
PPTX
Web application vulnerability assessment
byRavikumar Paghdal
 
PPTX
Web application security
byKapil Sharma
 
PPTX
A new web application vulnerability assessment framework
byMark Jayson Fuentes
 
PPTX
A7 Missing Function Level Access Control
bystevil1224
 
PDF
Web application sec_3
byvhimsikal
 
PPTX
SSRF exploit the trust relationship
byn|u - The Open Security Community
 
PDF
Owasp top 10
byYasserElsnbary
 
PPTX
Web application penetration testing
byImaginea
 
PDF
Axoss Web Application Penetration Testing Services
byBulent Buyukkahraman
 
PDF
Owasp Top 10-2013
byn|u - The Open Security Community
 
PPTX
The bare minimum that you should know about web application security testing ...
byKen DeSouza
 
PDF
Web Application Security 101 - 04 Testing Methodology
byWebsecurify
 
Security testing
byTabăra de Testare
 
Get Ready for Web Application Security Testing
byAlan Kan
 
Owasp first5 presentation
byAshwini Paranjpe
 
Web Application Security and Awareness
byAbdul Rahman Sherzad
 
Testing Web Application Security
byTed Husted
 
Introduction to security testing
byNagasahas DS
 
Introduction to security testing raj
byRajakrishnan S, MCA,MBA,MA Phil,PMP,CSM,ISTQB-Test Mgr,ITIL
 
Oh, WASP! Security Essentials for Web Apps
byTechWell
 
Web application vulnerability assessment
byRavikumar Paghdal
 
Web application security
byKapil Sharma
 
A new web application vulnerability assessment framework
byMark Jayson Fuentes
 
A7 Missing Function Level Access Control
bystevil1224
 
Web application sec_3
byvhimsikal
 
SSRF exploit the trust relationship
byn|u - The Open Security Community
 
Owasp top 10
byYasserElsnbary
 
Web application penetration testing
byImaginea
 
Axoss Web Application Penetration Testing Services
byBulent Buyukkahraman
 
Owasp Top 10-2013
byn|u - The Open Security Community
 
The bare minimum that you should know about web application security testing ...
byKen DeSouza
 
Web Application Security 101 - 04 Testing Methodology
byWebsecurify
 

Viewers also liked

PPTX
инфотекс автоматизация тестирования
byISsoft
 
PPTX
Планирование тестирования - релизные планы
byISsoft
 
PPT
Эффективная архитектура мобильной автоматизации
byISsoft
 
PPT
Sikuli script
byISsoft
 
PPT
Unit tests ru
byISsoft
 
PPT
Siculi script
byISsoft
 
PPTX
Appium confet qa
byISsoft
 
PPT
Css part1
byISsoft
 
PPTX
Тестирование iOS приложений. С чего начать?
byNatalia Savastiuk
 
инфотекс автоматизация тестирования
byISsoft
 
Планирование тестирования - релизные планы
byISsoft
 
Эффективная архитектура мобильной автоматизации
byISsoft
 
Sikuli script
byISsoft
 
Unit tests ru
byISsoft
 
Siculi script
byISsoft
 
Appium confet qa
byISsoft
 
Css part1
byISsoft
 
Тестирование iOS приложений. С чего начать?
byNatalia Savastiuk
 

Similar to Security Testing

PPTX
Security Testing
byBOSS Webtech
 
PPT
CohenNancyPresentation.ppt
bymypc72
 
PPTX
Becoming a better pen tester overview
byTodd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
PDF
Web Application Security: Introduction to common classes of security flaws an...
byThoughtworks
 
PDF
Tw noche geek quito webappsec
byThoughtworks
 
PDF
Invited Talk - Cyber Security and Open Source
byhack33
 
PPTX
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
byKnoldus Inc.
 
PPT
Web Application Security Testing
byMarco Morana
 
PPTX
Application security in a hurry webinar
bykdinerman
 
PPTX
How to Test for The OWASP Top Ten
bySecurity Innovation
 
PPTX
Security engineering
byOWASP Indonesia Chapter
 
PPTX
State of the information security nation
bySensePost
 
PDF
Bridging the gap - Security and Software Testing
byRoberto Suggi Liverani
 
PPT
Software Security Testing
bysrivinayak
 
PDF
Injecting simplicity not SQL BSides Las Vegas 2010
bySecurity Ninja
 
PDF
Do You Write Secure Code? by Erez Metula
byAlphageeks
 
PPTX
Phi 235 social media security users guide presentation
byAlan Holyoke
 
PPT
BSidesDC 2016 Beyond Automated Testing
byAndrew McNicol
 
PPTX
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
byRyan Elkins
 
PDF
The Thing That Should Not Be
bymorisson
 
Security Testing
byBOSS Webtech
 
CohenNancyPresentation.ppt
bymypc72
 
Becoming a better pen tester overview
byTodd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
Web Application Security: Introduction to common classes of security flaws an...
byThoughtworks
 
Tw noche geek quito webappsec
byThoughtworks
 
Invited Talk - Cyber Security and Open Source
byhack33
 
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
byKnoldus Inc.
 
Web Application Security Testing
byMarco Morana
 
Application security in a hurry webinar
bykdinerman
 
How to Test for The OWASP Top Ten
bySecurity Innovation
 
Security engineering
byOWASP Indonesia Chapter
 
State of the information security nation
bySensePost
 
Bridging the gap - Security and Software Testing
byRoberto Suggi Liverani
 
Software Security Testing
bysrivinayak
 
Injecting simplicity not SQL BSides Las Vegas 2010
bySecurity Ninja
 
Do You Write Secure Code? by Erez Metula
byAlphageeks
 
Phi 235 social media security users guide presentation
byAlan Holyoke
 
BSidesDC 2016 Beyond Automated Testing
byAndrew McNicol
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
byRyan Elkins
 
The Thing That Should Not Be
bymorisson
 

More from ISsoft

PPTX
Sql инъекции в тестировании
byISsoft
 
PPTX
введение в практическую разработку по в Is soft 4-1 and 4-2 clients and commu...
byISsoft
 
PPTX
Testing of mobile apps
byISsoft
 
PPTX
Testing, qa, qc. what the difference
byISsoft
 
PPTX
Ranorex presentation
byISsoft
 
ODP
Bugs
byISsoft
 
PPT
Bdd j behave or cucumber jvm plus appium for efficient cross platform mobile ...
byISsoft
 
PPTX
Bdd and dsl как способ построения коммуникации на проекте
byISsoft
 
PPTX
Тестирование требований
byISsoft
 
PPTX
Тестирование требований
byISsoft
 
PPTX
Sql practise for beginners
byISsoft
 
PPT
Отдел юзабилити
byISsoft
 
PPT
ToDoList
byISsoft
 
PPTX
ISTQB
byISsoft
 
PPTX
Prototype presentation
byISsoft
 
PPTX
решение основной проблемы Agile (scrum) проектов в контексте ba
byISsoft
 
PPTX
решение одной из ключевых проблем компетенции Ba специалистов
byISsoft
 
PPTX
Development of automated tests for ext js based web sites
byISsoft
 
PPTX
Bdd or dsl как способ построения коммуникации на проекте
byISsoft
 
PPTX
Time management
byISsoft
 
Sql инъекции в тестировании
byISsoft
 
введение в практическую разработку по в Is soft 4-1 and 4-2 clients and commu...
byISsoft
 
Testing of mobile apps
byISsoft
 
Testing, qa, qc. what the difference
byISsoft
 
Ranorex presentation
byISsoft
 
Bugs
byISsoft
 
Bdd j behave or cucumber jvm plus appium for efficient cross platform mobile ...
byISsoft
 
Bdd and dsl как способ построения коммуникации на проекте
byISsoft
 
Тестирование требований
byISsoft
 
Тестирование требований
byISsoft
 
Sql practise for beginners
byISsoft
 
Отдел юзабилити
byISsoft
 
ToDoList
byISsoft
 
ISTQB
byISsoft
 
Prototype presentation
byISsoft
 
решение основной проблемы Agile (scrum) проектов в контексте ba
byISsoft
 
решение одной из ключевых проблем компетенции Ba специалистов
byISsoft
 
Development of automated tests for ext js based web sites
byISsoft
 
Bdd or dsl как способ построения коммуникации на проекте
byISsoft
 
Time management
byISsoft
 

Recently uploaded

PPTX
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
PDF
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
PDF
How to build hackthon projects from ZERO!
byishantyadav1111
 
PPTX
Career-Opportunities in Industrial Arts Grade 8 PPT Lesson 2
byFSBTLEDNathanVince
 
PDF
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
PDF
What Is the Azure AI Foundry and Why Does It Matter for Enterprises?
byjohncarterjn
 
PPTX
Cyber security chapter 1 for learning and educating to the students who want ...
byGulMohammadi
 
PDF
January 2026 OpenMetadata Community Spotlight - OpenMetadata @ Wix.pdf
byOpenMetadata
 
PDF
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
PDF
Pneumatic Pressure Pump PPP01 for Calibration & Testing
bySERRAX TECHNOLOGIES LLP
 
PDF
Build Next-Gen Spatial & Sensor Workflows: Secure, Scalable Processing in Sno...
bySafe Software
 
PDF
Designing a Blog Using Wordpress
bymarkzubi50
 
PDF
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
PPTX
NTG - Data Center Management System Software
byMustafa Kuğu
 
PDF
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 
PDF
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
Analyze and Preserve Logs - RHCSA (RH134).pdf
byLinuxCert Guru
 
PPTX
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
PDF
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
 
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
How to build hackthon projects from ZERO!
byishantyadav1111
 
Career-Opportunities in Industrial Arts Grade 8 PPT Lesson 2
byFSBTLEDNathanVince
 
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
What Is the Azure AI Foundry and Why Does It Matter for Enterprises?
byjohncarterjn
 
Cyber security chapter 1 for learning and educating to the students who want ...
byGulMohammadi
 
January 2026 OpenMetadata Community Spotlight - OpenMetadata @ Wix.pdf
byOpenMetadata
 
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
Pneumatic Pressure Pump PPP01 for Calibration & Testing
bySERRAX TECHNOLOGIES LLP
 
Build Next-Gen Spatial & Sensor Workflows: Secure, Scalable Processing in Sno...
bySafe Software
 
Designing a Blog Using Wordpress
bymarkzubi50
 
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
NTG - Data Center Management System Software
byMustafa Kuğu
 
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
Analyze and Preserve Logs - RHCSA (RH134).pdf
byLinuxCert Guru
 
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
 

Security Testing

  • 1.
    Security testing prepared byTatiana Semenchenko Minsk 2013
  • 2.
    Why invest intesting now instead of just responding to an attack after it happens?
  • 3.
    Negatively impacts byan attack: Loss of customer confidence Harm to your brand Disturbance to your online means of revenue collection Web-site downtime, time loss and expenditures in repairing damage done (reinstalling services, restoring from backups) Cost associated with securing web applications against future attacks Related legal fees and implications for having such lax security measures in place
  • 4.
    Security testing Security testingis a process to determine that an information system protects data and maintains functionality as intended.
  • 5.
    Purposes of securitytesting Finding out loopholes that can cause loss of important information and allow any intruder enter into the system. Improving the current system and also ensuring that the system will work for longer time. Ensuring that people in your organization understand and obey security policies.
  • 6.
    Security Concepts Confidentiality –not public access Authentication – passwords Authorization – permissions Integrity – no unwilled changes Availability – any time as need Non-repudiation – recipient cannot deny having received the message
  • 7.
    Main definitions: Threat: "Apotential violation of security" - ISO 7498-2 Impact: consequences for an organization or environment when an attack is realized, or weakness is present. Attack: a well-defined set of actions that, if successful, would result in either damage to an asset, or undesirable operation. Vulnerability: is a weakness which allows an attacker to reduce a system's information assurance. Weakness: a type of mistake in software that, in proper conditions, could contribute to the introduction of vulnerabilities within that software.
  • 8.
    National Vulnerabilities Database CVE(Common Vulnerabilities and Exposures) http://nvd.nist.gov /
  • 9.
    Vulnerabilities Classification by SDLCPhase SDLC (Software Development Life Cycle) Phase of SDLC Categories of Vulnerabilities Example Designing Design vulnerabilities TCP/IP vulnerabilities Implementation Implementation vulnerabilities buffer overflow Operation Configuration vulnerabilities Password less then 6 symbols
  • 10.
    SQL Injection SQL injectionis a code injection technique, mostly known as an attack vector for websites but can be used to attack any type of SQL database.
  • 11.
    SQL Injection (continuance) Attackercan login without entering ‘password’.
  • 12.
    Сross Site Sсriрting Cross-sitescripting (XSS) enables attackers to inject client-side script into Web pages viewed by other users. Non-Persistent XSS Attack Attack requires a user to visit the specially crafted link by the attacker. When the user visit the link, the crafted code will get executed by the user’s browser. Persistent XSS Attack Code injected by the attacker will be stored in a secondary storage device (mostly on a database). The damage caused by Persistent attack is more than the non-persistent attack.
  • 13.
    Example 1 ofCSS <html> <body> <h1>New Job Posting</h1> <h2> Job Description</h2> <hr/> Secure Web Developer Needed <body> <html> --------------------------------------------<html> <body> <h1>New Job Posting</h1> <h2> Job Description</h2> <hr/> Secure Web Developer Needed <script>/*something evil*/</script> <body> <html>
  • 14.
    Example 2 ofCSS <script>alert()</script> Overlay the Login screen with their own, allowing attacks to harvest Usernames and Passwords.
  • 15.
    Social Engineering Social Engineeringis a psychological manipulation of people into performing actions or divulging confidential information. Phishing is a social engineering technique of fraudulently obtaining private information. What to look for in a phishing email Generic greeting Forged link (for ex. http instead of https) Requests personal information Sense of urgency
  • 16.
  • 17.
    Specific vulnerabilities forwebsites on different programming languages 2011-2012 PHP ASP.NET JAVA Cross-Site Request Forgery 73 % 35 % 35 % SQL Injection 61 % 22 % - Cross-Site Scripting 43 % 39 % - Insufficient Anti-Automation 42 % 35 % - Path Traversal 42% - Application Misconfiguration - 17 % 29 % Insufficient Authorization - - 41 % Insufficient Authentication - - 29 % OS Commanding - - 29 %
  • 18.
  • 19.
    Security testing cycle Riskassessment - creating a threat model Security auditing - using the threat model to probe the system design Vulnerability scanning - using software to probe the system implementation. Penetration testing - trying to hack into the system, either externally or internally. Operational testing - some or all of the above after the system is in production.
  • 20.
    Vulnerability scanning Network ScanningSoftware identifies weak networking device settings (e.g., vulnerable ports left open, default passwords) Web Application Scanning software identifies weak web application settings, failure to implement patches to known web application vulnerabilities etc. Database Scanning Software identifies similar weaknesses in database management systems and database applications. One list of Scanning Software and Vendors can be found at: http://www.timberlinetechnologies.com/products/vulnerability.html
  • 21.
    Penetration testing Network Outside (Internet)/ Inside (Intranet) Information for tester Black-box / White-box Information for Staff Black Hat / White Hat Cпециальное ПО — программы, реализующие обнаруженные уязвимости, т. н. «эксплойты». Metasploit Framework - распространенный программный продукт c открытым исходным кодом. http://www.metasploit.com/
  • 22.
    Fuzzing Fuzz testing orfuzzing is a software testing technique, often automated or semiautomated, that involves providing invalid, unexpected, or random data to the inputs of a computer program. Can be useful in generating data for Code-Injections.
  • 23.
    ‘Security Test Plan’ Asecurity evaluation should be performed for the software. Security requirements should be established for the software development and/or operations and maintenance (O&M) processes. Each software review, or audit should include an evaluation of the security requirements. A configuration management and corrective action process is in place to provide security for the existing software. Any proposed changes should do not inadvertently create security violations or vulnerabilities. Physical security for the software should be adequate.
  • 24.
    Check List forSecurity testing • • • 1. Try to directly access bookmarked web page without login to the system. 2. Verify that system should restrict you to download the file without sign in on the system. 3. Verify that previous accessed pages should not accessible after log out i.e. Sign out and then press the Back button to access the page accessed before. • 4. Check the valid and invalid passwords, password rules say cannot be less than 6 characters, user id and password cannot be the same etc. • 5. Verified that important i.e. sensitive information such as passwords, ID numbers, credit card numbers, etc should not get displayed in the input box when typing. They should be encrypted and in asterix format. • 6 .Check Is bookmarking disabled on secure pages? Bookmarking Should be disabled on secure pages. • 7. Check Is Right Click, View, Source disabled? Source code should not be visible to user. • 8. Is there an alternative way to access secure pages for browsers under version 3.0, since SSL is not compatible with those browsers? • 9. Check does your server lock out an individual who has tried to access your site multiple times with invalid login/password information? • 10. Verify the timeout condition, after timeout user should not able to navigate through the site. • 11. Check Are you prevented from doing direct searches by editing content in the URL? • 12. Verify that relevant information should be written to the log files and that information should be traceable. • 13. In SSL verify that the encryption is done correctly and check the integrity of the information. • 14. Verify that restricted page should not be accessible by user after session time out. • 15. ID / password authentication, the same account on different machines cannot log on at the same time. So at a time only one user can login to the system with a user id. • 16. ID / password authentication methods entered the wrong password several times and check if the account gets locked. • 17. Add or modify important information (passwords, ID numbers, credit card number, etc.). Check if it gets reflected immediately or caching the old values. • 18. Verify that Error Message does not contain malicious info so that hacker will use this information to hack web site. http://tfortesting.wordpress.com/category/scecurity-testing/
  • 25.
    Security testing Security testing isa process to determine that an information system protects data and maintains functionality as intended. Main security concepts: Confidentiality Integrity Availability Main security testing methods: Vulnerability scanning Penetration testing
  • 26.
    Links: 1. http://www.securitylab.ru/blog/personal/evteev/30927.php 2. http://www.fiddlerontheroot.com/why-its-important 3.http://en.wikipedia.org/wiki/Software_security_assurance 4. http://www.phishtank.com/what_is_phishing.php 5. http://www.youtube.com/watch?v=1eQd7GCOpp4 6. http://www.altoros.com/security_and_load_testing.html 7. http://cwe.mitre.org/documents/glossary/index.html#Weakness