Zen and the art of Security Testing
•
2 likes•1,608 views
Some security experts would tell you that security testing is very different from functional or non-functional software testing. They are wrong. Having worked on both sides, Paco gives 3 specific recommendations for how testers can make significant contributions to the security of their software and applications by making small changes to the way they do their software testing. The first technique has to do with selecting points in the user journey that are ripe for security testing. The second is to leverage some common free tools that enable security tests. The final technique is adjusting old school boundary value testing and equivalence class partitioning to incorporate security tests. The result is a lot of security testing done and issues fixed long before any security specialists arrive. Key Takeaways: -Great places in the user journey to inject security tests - Ways to augment existing test approaches to cover security concerns - Typical security tools that are free, cheap, and easy for software testers
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (17)
Similar to Zen and the art of Security Testing
Similar to Zen and the art of Security Testing (20)
More from TEST Huddle
More from TEST Huddle (20)
Recently uploaded
Recently uploaded (20)
Zen and the art of Security Testing
- 1. Zen and the Art of Security Testing Testing for security issues as a variation on what you already do
- 2. About Cigital UK and US consulting firm specializing in software security. Global leader in helping organizations build security in. Over 20 years of research and successful software security consulting engagements throughout the world. Offers consulting, training, mobile application security. Published in books, white papers, and articles.
- 3. About Me • Consultant 13 years • Software security: code, design, risk • Financial, gaming, retail • Source code, architecture, security testing • (ISC)² European Advisory Council • CISSP and CSSLP exam item author • Author: 2 books + 1 chapter • OWASP Mobile Top Ten contributor • BS and MS in Computer Science • Passionate about software testers as an untapped resource in software security
- 5. The Inspiration Before one studies Zen, mountains are mountains and waters are waters; after a first glimpse into the truth of Zen, mountains are no longer mountains and waters are no longer waters; Photo: © 2009 Abi Skipp, via Flickr
- 6. The Metaphor Before one learns security testing, software is software and test cases are test cases; after a first glimpse into security testing, software is no longer software and test cases are no longer test cases;
- 7. Functional Testing vs. Security Testing Testing against the design/requirements is not enough: Design specification & requirements Actual implementation Missing features (found in functional testing) Potential security vulnerabilities (not found in functional tests) Boundary condition analysis (edge and corner cases) Security testers must think “outside the box”
- 8. Goals • Finding places in the user journey to do security testing • Working that into user stories • Working it into tests • Modifying existing test cases to cover security • Use tools for intercepting and modifying web requests www.eurostarsoftwaretesting.com
- 9. INJECTING SECURITY TESTS INTO USER STORIES the fundamentals www.eurostarsoftwaretesting.com
- 10. Agile User Story As a customer, I want to change my shipping address so that packages will come to my new address
- 12. Security User Stories User Story As a customer, I want to track the shipment of my order so that I know when it will arrive. Security Story As a fraudster, I want to see the details of an order that is not my own so that I can learn another person’s private information. 12
- 13. “Bad Guys” in Security User Stories Bad Guys • Competitor • Misbehaving customer • Hacker • Journalist • Criminal • Vandal • Disgruntled employee Goals • Learn private information • Commit a fraudulent transaction • Damage the company’s brand • Prevent people from doing their job • Sell valuable information
- 14. “Bad Guy” User Stories Acceptance Criterion Given that the user is logged in And the session is valid And the request is for an order that does not belong to the logged-in user, When the user requests details Then display an error message And ensure the user is no longer logged in And log an error to the application log. As a criminal, I want to see the details of an order that is not mine So that I can learn private information of another person
- 15. “Good Guys” in Security User Stories Users • Fraud Analyst • Customer Service Rep • System Operator • Well-behaved user • Manager • Auditor Goals • Verify a transaction • Determine some important information • Report on error conditions • Display the status of something 15
- 16. “Good Guy” User Stories As a security analyst, I want to see a list of sessions with unusal characteristics So that I can identify and terminate bot and fraud sessions As a registered user, I want to receive a notification when a new device is added to my account So that I know how many devices are attached to my account
- 17. Goals of Security User Stories • Identify an important actor (developers, security people, IT people are usually not important) • Identify an action or activity with tangible outputs • An easy tangible output is an error message • Force the business to be engaged by getting them to describe these output • Create test cases that exercise the software that way • Can you make the error message appear? www.eurostarsoftwaretesting.com
- 19. Web Security Testing vs. Network Penetration Testing Penetration Testing • Finds services and open ports • Checks for vulnerable or misconfigured components • Often targets standard software, COTS Web Security Testing • Focuses on what is running over HTTP(S) • System usually contains custom-built code • Requires deeper knowledge of business processes and rules
- 20. The Idea Functional Testers Know the Most! • Test data to exercise this whole flow • Insert security test data at each point o SQL injection o XML o Cross-site scripting (XSS) o JSON o CSV www.eurostarsoftwaretesting.com
- 21. Old Skool: Boundary Value Testing Example Scenario • App allows you to share mobile minutes • 1000 minutes across 3 lines • Inputs are non-negative, integer minute values • Must sum to exactly 1000 • 0 and 1000 are valid Examples Line 1 250 Line 2 250 Line 3 500 Total 1000 Line 1 0 Line 2 1000 Line 3 0 Total 1000 Line 1 1 Line 2 1 Line 3 998 Total 1000 www.eurostarsoftwaretesting.com
- 22. Old Skool: Boundary Value Testing Boundary Values • One more, one less, and boundary value • -1, 0, 1, 999, 1000, 1001 • This is testing 101 A few other interesting ones • MAXINT • MININT Examples Line 1 -1 Line 2 0 Line 3 1 Total err Line 1 999 Line 2 1000 Line 3 1001 Total err Line 1 -1 Line 2 0 Line 3 1001 Total err www.eurostarsoftwaretesting.com
- 23. Equivalence Class Partitioning Sampling from Equivalence Classes • Negative numbers • Aphabetic characters • Character set, encoding variations • Unicode UTF-8 • Unicode UTF-16 • Unicode ISO-8859-1 • Null / missing / empty Examples Line 1 ABCD Line 2 500 Line 3 500 Total err Line 1 完全な失敗 Line 2 başarısızlık Line 3 ﻞﺸﻓ Total err Line 1 Line 2 1 Line 3 998 Total err www.eurostarsoftwaretesting.com
- 24. Security and Equivalence Class Partitioning New Equivalence Classes • SQL Injection 'or 1=1; -‐-‐ ' and 'A'='A'; • Cross-site scripting <script> <img src="http://.../"…> • Other encoding issues • URI encoding • HTTP encoding • Base64 misalignments • Etc. Examples Line 1 ‘ or 1=1’; Line 2 ’ and a=a; -- Line 3 ‘ group by -- Total err Line 1 <script> Line 2 <body onload=> Line 3 <a onmousover> Total err www.eurostarsoftwaretesting.com
- 25. Where do I get these test data? • Cross-site Scripting (XSS) • OWASP Cross Site Scripting Cheat Sheet • https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sh eet • http://htmlpurifier.org/live/smoketests/xssAttacks.php • SQL Injection • SQLNinja • SQLMap • Kali Linux (many security tools built in) • HTML, XML, JSON www.eurostarsoftwaretesting.com
- 26. SECURITY TOOLS FOR WEB TESTING www.eurostarsoftwaretesting.com
- 27. Two Important Tools 1.Firebug 2.Burp (don’t forget Selenium) www.eurostarsoftwaretesting.com
- 28. Firebug • Add-on for Firefox (http://getfirebug.com/) • Views the DOM as it really is • Interactively manipulates the DOM • Great things to do: • Undo disabled="true" • Identify XPATH for Selenium www.eurostarsoftwaretesting.com
- 29. Intercepting Traffic • Local proxy acts as man-in- the-middle • HTTPS traffic is decrypted and viewable in plain text in local proxy • Insert data that you can’t put into a field via the browser • See hidden fields, cookies, etc. Even HTTPS traffic can be intercepted: Tester’s Machine Server Tester’s Browser Tester’s Proxy HTTPS Tunnel 1 HTTPS Tunnel 2
- 30. Burp Proxy • Start local proxy and configure interface and port to listen to • If necessary, configure upstream proxy server(s) You can run a local HTTP proxy on your own machine:
- 31. Security Testing Monitor, intercept, and rewrite traffic in your local proxy:
- 33. Bypassing All Client Side Checks • After inputs are checked • Before they’re received by the server Works on Mobile Too Tester’s Machine Server Tester’s Browser Tester’s Proxy Rewrite responses?
- 34. Wrapping Up
- 35. Everyone who has something to do with SOFTWARE has something to do with SOFTWARE SECURITY
- 36. Wrapping Up • User stories let us describe security behaviour • Good Guys • Bad Guys • Error messages • Put security test data into standard functional tests • Get test data ideas from OWASP • Get free tools and try them • Use a proxy to intercept and modify HTTP communication www.eurostarsoftwaretesting.com
- 37. 37 The best time to plant an oak tree was twenty years ago. The next best time is now. —Ancient Proverb Paco Hope, CISSP,CSSLP paco@cigital.com Twitter: @pacohope