Tools for Security Testing

Transcription

1 Tools for Security Testing

2 2 Due to cloud and mobile computing, new security breaches occur daily as holes are discovered and exploited. Security Testing Tools-When, What kind and Where Due to cloud and mobile computing, devices, data and their new usage contexts are causing a great concern for security testing as new security breaches occur daily as holes are discovered and exploited. To conduct security testing requires an in-depth understanding in different fields, such as system architecture, communication protocols, encryption and decryption knowledge, etc. Since it is impossible to be an expert in all of these fields, security tools are used to supplement knowledge and save the time. Tools can be used to support testing processes, to identify vulnerabilities, and to gather related information of target sites or applications. There are hundreds of security tools available, commercial or free, for the enterprise level as well as for individual usage. With so many choices, how do you pick out the best tool(s) for your specific objective(s). To do this, we use a structured decision process and consider three aspects when choosing tools for security tests; testing category, testing field and testing process (See Figure 1).

3 3 Figure 1. Process in Choosing Security Tools Testing Category: As shown in Figure 1, let s e a i e se urit testi g t pes first: 1) Dynamic versus Static testing Security Testing can be categorized into dynamic testing and static testing. Static testing is implemented by checking source code for bug patterns that are abstracted from the code with defects. For a brief introduction to bug patterns please refer to In most cases, we verify security when the application is running in order to more accurately simulate what would happen in the real world. This is called dynamic testing. Many methodologies have been developed for dynamic security testing like penetration, security scanning, etc. There are no clear boundaries or strict definitions amongst these methodologies. For instance, penetration will implement scanning to collect information.

4 4 2) White, Gray and Black box testing Another popular way to classify testing is by whether the testers know the internal structure of the code and how much they know. In security testing, white-box testing is quite similar to static testing. You have to check the code in white-box testing and the tools used here are very similar to static testing. There is no pure black-box way to conduct security tests. Gray-box tests are employed most of the time in order to attain sufficient system penetration. Actually, the most popular security testing is to use a combination of Black-box testing (to collect information) and Gray-box testing techniques (to deeply penetrate) to verify security in a dynamic (or running) environment. This article focuses on the tools in this niche of security testing. Although these security testing tools support testers to identify potential security vulnerabilities, we still cannot completely rely on just the tools by themselves or in isolation. Different tools should be used to doublecheck vulnerabilities and sometimes manual testing is necessary to reproduce the vulnerability and understand it s severity. In addition, you must keep your tools up to date as new security vulnerabilities are discovered constantly. Investigating the right tool or tools to use and verifying that their functionality covers hat ou eed is i porta t other ise ou a e u a le to u o er our soft are s se urit holes. Testing Field: When examining and analyzing tools, it is convenient to categorize them by different criteria. Some categorizations include: 1) Tools designed for different infrastructure components Fields Descriptions Tools Network Security Database security Subsystem or middleware Web application security These tools focus on identifying security vulnerabilities on externally accessible network-connected devices such as firewalls, servers, and routers. Some network scanning tools also perform vulnerability scanning functions. Database security test tools focus on identifying vulnerabilities in a system s database. These can be the result of incorrect configuration of the database security parameters or improper implementation of the business logic used to access the database (e.g., SQL insertion attacks). Database scanning tools are generally included in network security or web application security scanning tools. These tools are used during the implementation cycle to test whether security-critical subsystems have been designed and implemented properly. As an example, these tools test for correct operation of random number generators, cryptographic processors, and other securitycritical components. Web application security tools highlight security issues within applications accessed via the Internet. Unlike network security tools, web application security tools focus on identifying vulnerabilities and abnormal behavior within applications. For example over ports 80 (HTTP) and 443 (HTTPS). Various scanners include NMap, SuperScan. Foundstone Examples include Toad for Oracle, OWASP SQLiX and SQLInjector, Sqlninja, etc. NIST Statistical Test Suite for random number generation For example, Medusa for brute Force, AppScan for Web Scanning, etc.

5 Testing Process: 5 Another way to categorize security tools is according to the testing process, as shown in Figure 2. Figure 2. Tools in categories divided by testing process flow Gather information: In this step, the information about the number of machines, type of machines, operating systems, and etc, should be gathered to scope out the possible targets, looking for possible weaknesses. System scanning: After you have the internal topology of a web site, investigating the status of each device (Routers, Servers, Switchers and Computers, etc) usually requires system scanners. Multiple Vulnerability Detection: In this step, multi-vulnerability scanners can roughly find out what kinds of vulnerabilities may exist. Usually, the tools for this purpose have embedded databases with pre-defined vulnerabilities. Specific Vulnerability Detection: Two kinds of defects should be verified in this step. Firstly, those well-known vulnerabilities, like SQL injection and XSS injection. The other type is a defect is for a specific application, like defects in Office or Adobe products. Some tools like MS Scan are developed for Microsoft products, which can be found on the official web sites. Tool Selection Criteria There are many articles and publications on selecting security tools, some of which provide great detail such as Testing Tool Evaluation Matrix.pdf. But based on our experience, we summarize three key criteria for tool selection, while other factors should be used only in special cases and most often are not used.

6 6 Objective Description Suggestions Test Coverage Coverage refers to the ability of the tools or tools combination to cover all the categories of vulnerabilities that testing activities should exploit. Before evaluating tools, you need a list of vulnerabilities that may exist and need to verify. Accuracy of false positive and leakage Budget This concerns the reputation and trustworthiness of tools. If there are a huge number of false positives, or the tools are not up to date causing a lot of leakage, it will require manual evaluation and verification of the results. That is a difficult and time consuming task. Commercial tools are usually powerful and provided with after sales services. Vulnerability databases and patterns are maintained by providers for new vulnerabilities. Of course, they can be quite expensive. Free tools usually focus on a specific item, like investigating one kind of vulnerability or scanning ports. It is etter to use a ti e tools, hi h are continuously updated. Also, you need to choose backup tools and compare, verify and validate results. Of course, it depends on your budget. But cost refers not only to money, but also time. Free tools may save you money but are time consuming. However, sometimes they are necessary even when you have commercial tools in order to dig deeper into specific vulnerability areas and to verify results from other tools. Conclusion Security testing, more than ever, needs to be an integral part of software testing and should be planned for as a specific part of the test plan. Especially with software exposed to so many devices over the Internet and through the cloud, you need tools to carry out your mission and efficiently conduct software security testing in order to discover vulnerabilities as fast as possible. Of course manual testing can be used as a supplement, but there is no way you can uncover all the vulnerabilities. Different tools can sometimes significantly affect the testing results and choosing the right tool can be time consuming, especially when you may need more than one tool for deeper analysis and for cross-checking results. Rather than getting lost in the tool forest, its best to follow a step by step process to pick out the tools in an organized manner according to your objectives. This will save you a lot of time while also helping you understand the purpose of your security tests and your results. And with good security test results, you ll e a le to ake the orre tio s to re o e ul era ilities so ou do t e d up o the front page of the New York Times. XBOSoft Inc. 640 Rocca Ave. South San Francisco, CA