Security Testing. Who, What, When and How of Security Testing. Heidi Harmes-Campbell.

Size: px

Start display at page:

Download "Security Testing. Who, What, When and How of Security Testing. Heidi Harmes-Campbell."

Kathryn Sullivan
6 years ago
Views:

1 Security Testing Who, What, When and How of Security Testing Heidi Harmes-Campbell

2 Quick Info Bathroom breaks Phones calls Silence or Vibrate Take the call if needed please step out Snacks Sugar boost in center of your table Go get a drink if you need one Ask questions to me & each other!! It depends Ask me.why or why not? I will tell you if I don t know!!!!

3 Professional Stuff Me A Poll Interactive = means we ALL participate Get on with it Heidi

4 Who, What, When and How of Security Testing Definition of Security Types of threats & attacks CIA Hacker vs. Cracker vs. Tester vs. Script Kittie Access Control Authentication SQL Injection XXS Cookies

5 Windows 98 Blue Screen of Death

6 Toyota Blames Prius Brake Software Toyota said that a software glitch is to blame for brake problems. Toyota found some parts weren t being tested as rigorously as thought.

7 D-Link Router Design Error D-Link DIR-300 WiFi Key Security Bypass Vulnerability The D-Link DIR-300 wireless router is prone to a security-bypass vulnerability. Remote attackers can exploit this issue to modify the WiFi key and possibly other configuration settings. Successful exploits will lead to other attacks.

8 Signing Off Remember Signing Off on software? and then IT BLOWS UP!!!

9 What s going on in the world? Nasdaq Twitter Michael Jackson Gmail (cloud computing) EC-Council Webinar Costco Really???

10 True/False? Software can be correct without being secure. (1) It s cheaper to let System Admins deal with security. MORE

11 Rebuilding Trust

12 Types of Functional Testing White Box Black Box Grey Box Unit Integration System Regression Acceptance Verification Validation Static Dynamic Smoke User Acceptance

13 True or False? Definition of SECURITY + Definition of TESTING = Security Testing??

14 What is Security? You first! This is the interactive part that I referenced earlier

15 Different Definitions Referring to: Business Career Home Bank Banking Website Family Children Property Car Software Hardware Safety Credit Cards Country Many more

16 Definition of SECURITY 1. Freedom from risk or danger; safety 2. Freedom from doubt, anxiety, or fear; confidence 3. Something that gives or assures safety a. A group or department of private guards b. Measures adopted by a government to prevent espionage, sabotage, or attack c. Measures adopted to prevent escape 4. Computer Science. a. The level to which a program or device is safe from unauthorized use. b. Prevention of unauthorized use of a program or device.

17 Just out of Curiousity What does security testing mean to you or your company? Is QA and development included? Does QA management know? Who performs security testing? Who is responsible in your organization for testing application security? Manual or automated? Do you know what s being tested? How many of your requirements include security functionality? How many of you have test cases that specifically addresses security? Again, this is the interaction piece discussed earlier.

18 Fundamental Principles of Security 3 main principles: C Confidentiality I Integrity A Availability CIA (AIC, CAI, IAC, ICA) triad

19 CIA Confidentiality has anyone else been able to read your document Integrity has anyone else been able to change your document Availability has anyone else been able to access your document

20 Threat vs. Vulnerability Threat an indication, circumstance, or event with the intent and capability to cause loss of damage to an asset Vulnerability a weakness that can be exploited

21 Where is Risk? Assets Vulnerability Threats

22 Security Terminology, Threats, Attacks and People Hacker Cracker Script Kiddie Vulnerability Threat Social Engineering Phishing Vishing Viruses Worms Trojans Cross Site Scripting (XXS) Keyloggers Rootkits Spyware Adware Logic Bombs Denial of Service Spamming Hoaxes Port Scanners Password Crackers Boot Sector Virus Attack Corrupted Registry Buffer Overflows Dictionary Attacks Cookie Manipulation SQL Injections Etc, etc, etc

23 Titles/Roles - WHO Hacker hired by companies to help identify vulnerabilities Script Kittie (a.k.a Skittie, Script bunny) annoying people playing around Cracker methodically attack for a purpose people exploiting the threats Let s talk about these people. Tester -????

24 Worm Vs. Virus - WHAT Used interchangeably. Same? or Different? Virus small application or string of code that infects application REQUIRES host application to do this! Worm different than viruses they Do Not Need a host application they can reproduce on their own.

25 Trojan & Buffer Overflow WHAT Trojan a program disguised as another program. normally deletes or replaces system files. commonly leaves backdoor to allow re-entry. Buffer Overflow Too much data are accepted as input to an application. Buffer is allocated only so much memory

26 SQL Injection - WHAT SQL Injection - when user input is either incorrectly filtered for string literal characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed

27 Social Engineering - WHAT What is it? Let s talk, shall we?

28 Examples of Social Engineering Brief Chit-Chat Conversation Play dumb Shoulder surfing ing with questions Contacting help desk Flash!! Manipulation, trickery, deception

29 Rules for each table: Game Time Each table will have a list of definitions. The table must tell us: 1. Who 2. What 3. How

30 Access Control - HOW Definition Controlling Access? Yes!!! The ability of a subject to interact with an object. e.g. subject: person, process, computer)

31 Models of Access Control Discretionary Access Control - DAC Mandatory Access Control - MAC Role-based Access Control - RBAC Rule-based Access Control RBAC Why is this important?

32 Methods of Access Control DAC and MAC was used by the military to describe two different ways to control access to system and objects. Discretionary owner of the object decides who gets permission to access it Mandatory owner does NOT decide who has access. Operating system decides access based on sensitivity of object. Ex. Clearance in Military. This does not mean that everyone who has Top Secret Clearance has access to everything marked Top Secret. Also implemented is the need to know principle. Role Based system admins set this up based on the role(s) you are playing in a project. Rule Based system admins set this up based on the rules of the project e.g. no employees may access payroll files on weekends and after 6 p.m. on weekdays.

33 Authentication - HOW Definition - Verifying the identity of the subject That s all Authentication should confirm!!

34 Access Control vs. Authentication? 1. Change the pages the user sees 2. Log in with username/password

35 Authentication Testing - HOW Minimum testing: 1. Correct username and password 2. Incorrect username and correct password 3. Correct username and Incorrect password 4. Correct password and empty username 5. Correct username and empty password Are all of you at least doing this?

36 Authentication Testing - HOW 6. Secure login make sure when you are logging into an application you see HTTPS in address bar.

37 Authentication Testing - HOW 7. Message testing malicious users can find out a whole bunch of information from messages Incorrect combination of username and password

38 Authentication Testing - HOW 8. Logout then press Browser <Back> button. Capture URL via Print Screen

39 Authentication Testing - HOW Session Timeout Login with active username and password Go to lunch or have some soda Time how long the session is live What is correct? When does the session finally die?

40 Authentication Testing HOW 9. Bookmark page login to application navigate to another page in application bookmark the page logout application Go to bookmarked page

41 Authentication Testing - HOW 10. Change the ID to an ID of another account WHAT?? When browsing in the application 1. look for ID in header or in URL specifically related to your application ID 2. try to change it to something else Story I read about this in Security Act s magazine. Security Acts Issue 4

42 Authentication Testing - HOW 11. Different browsers accessing at same time 1. Copy user information into new browser 2. Copy url to new browser AFTER application has been opened in another browser. Don t just use another tab in the brower, try Firefox or Chrome. If possible send url to a different computer.

43 Authentication Testing - HOW 12. Manipulate URL after login 1. delete id s one by one 2. continue browsing the application 3. breaking down the url in to pieces and parts

44 Authentication Testing - HOW 13. How many times can I type the incorrect password before being locked out? Susceptible to brute force attack Crucial: 14. What are the consequences of being locked out? Lockouts have caused some companies to become unavailable. This would be bad.

45 Authentication Testing - HOW 15. There was a study a couple of years ago (2009) that brought to light the number of companies that keep default passwords for: Applications Firewalls O/S Security Software Etc.

46 Authentication Testing HOW Test Default Values Test/Test Guest/Guest Test1234/Test1234 Admin/Admin Training/Training Training1/Training1 /password

47 Authentication Testing HOW 16. SQL Injection simplest: 1,or 1 = 1 1. Type this into your password field and username = admin. 2. if it works then this is bad! User often ends up with administrator

48 Authenication Testing Game Rules: Object of the game

49 Common Fields in Database passwd login_id full_name Don t ask for a list of fields in the database! Guess! Use your experience to guide you. Sql injections by example

50 Cookies - HOW Simpliest Definiton: A small ASCII text file used in HTTP exchanges between a browser and web server, commonly stored on the hard drive. Session Cookies Tracking Cookies Does your application use them? Do you test them?

51 Issues with Cookies - HOW Easy for spyware to read them Many applications require you to accept thirdparty cookies Sessions may not expire as expected May include sensitive information possibly allowing access to secure site If using HTTP can be hijacked by malicious user

52 Testing Cookies - HOW Test using Mozilla stores all cookies for you to view.

53 Cookie - HOW

54 Convincing Management of the Importance - WHEN Show manager the list of threats & attacks Explain this is only a partial list Recommend adding line item under QA for security testing Let Project Manager cut it base on time constraints

55 More time for QA?? - WHEN We are going to give you an extra week.because we think you are SWELL and you to include security testing!!! How often does that really happen? NEVER!!!!

56 Justifying testing Joanna Rothman

57 Cost to fix defect during different times in a project

58 How YOU can implement Add this to your annual goals Build security test cases in your projects as if you have always done this testing Add security testing to your test plan Build it as a separate section or appendix in your test plan

59 Let s Be VERY Clear!! Testing Security is not the same as Testing Functionality.

60 QUESTIONS???

61 References

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management CompTIA Security+ Lecture Six Threats and Vulnerabilities Vulnerability Management Copyright 2011 - VTC Malware Malicious code refers to software threats to network and systems, including viruses, Trojan