The Roles of Software Testing & QA Security Testing

© 2002 LogiGear Corporation. All rights reserved.

The Roles of Software Testing & QA in

Security TestingHung Q. Nguyen

LogiGear, President and CEO

Bob JohnsonIndependent, Security Consultant

ASQ-SSQA Presentation, May 14, 2002


Objective

To jump start your security testing program for Web sites and Web applications by offering– An overview on testing for Web site and Web

application security– A perspective on the roles and responsibilities of

software testing and QA in the security testing effort– A forum for other professionals to share their

thoughts on this topic


Security Overview

• Whom are we protecting?– Ourselves– The people with whom we are doing business… or– The owners of computer systems– The users of those systems


Security Overview

• What are we protecting?– Data

• Transaction data, user data, information resource, confidential business intelligence, etc.

– Intellectual properties• Products, source code, software, hardware, etc.

– Resources• Network resources, computing resources, etc.


Security Overview

• Who are the attackers?– Black-hat hackers– White-hat hackers– Gray-hat hackers


Security Overview

• Why do attackers hack computer systems?– To steal– To disrupt activities by putting the system out of

commission– To embarrass by altering the behavior of the system– To play a game


Security Overview

• The goals– Security effort is an ongoing process of change, test, and

improvement. Because it's impossible to have a perfectly secure system, the goal is to figure out the level of protectionthat is secure enough for an organization's needs.

• "Good enough," as narrowly defined, means that the security solutions will cost significantly less than the damage caused by a security breach.

• At the same time, the ideal solutions are ones that deter persistent intruders by making penetrating the system so difficult and time-consuming that it's not worthwhile as a reward even when their efforts succeed.


Security Overview

• What are the possible damages?– Most of the damages, although not limited to, are

financial losses including:• Sales losses• Property losses• Productivity losses • Litigation costs• Publicity costs


Security Overview

• The big questions– What risks are we willing to take in enduring the

possible damages?– How much funding are we willing to commit to

minimize our risks?– What is the objective and budget allocated for

testing Web site and Web application security?


Security Overview

• What are the targets that need security protection?– Data– Host– Network/Intranet– Perimeter

• …and additional focus on– Internet– Application


Common Vulnerabilities

• Interesting to software testing– Information leaks

• Examples include sensitive information in the HTML pages, error messages, and public database and forums

– Back doors• For example, enabling a logging routine bypassing

authentication, or untested debugging routines left in production releases.

– Buffer overflows• Errors might exist in production code, test and debugging

code, or third-party code



• Interesting to software testing– Cookies

• Examples include cookie containing ID and password, account number, credit card number and other sensitive information.

• By changing the values or "poisoning the cookie, attackers can get access to accounts that are not theirs or access to unauthorized information.

• Stealing the cookie all together might allow attackers to gain access without having to enter I and password or any other methods of authentication.

– Bad data• In coming data can’t be trusted



• Interesting to software testing– Java scripts

• For example, client-side checking can be bypassed• Cross-site scripting issues

– CGI• For example, manipulating parameters to instruct a CGI to

email an ID and password file to any user

– Java• How safe?

– ActiveX• Can make function calls to other DLLs?



• Mildly interesting to software testing– Physical attacks– Denial-of-service attacks– Spoofing attacks– Virus and worm attacks– Trojan horse attacks

• For more information– www.QACity.com– Sample tool list: www.insecure.org


Testing and QA Focus

• Testing for Web site and Web application security at the application level

• Testing for vulnerabilities and information leaks due primarily to programming practice, and to certain extends, due to misconfiguration of Web servers and other application-specific servers

• Test for security side effects• Test for functionality side effects



• What can we learn from the attacking process?– Information gathering?– Checking out the system?– Cracking the system?

• What are our objectives?– Prevention: Help seeking out vulnerabilities and

various means to exploit them so they can be fixed.– Detection: Help determining the information that

should be logged and mechanisms to track, alert and trap suspicious activities.



• What can we learn from the physical world and the digital world?– In the physical universe, redundancy such as having

additional locks, a security guard sitting by the door, or a badge reader can increase security.

– In the digital universe, redundancy increases complexity and might create additional vulnerabilities. Often, small utility programs surrounded by many layers of protection provide the security holes that compromise the entire system.


Testing Web Site/Application Security

• Testing the requirements and designs• Testing the code and programming practices• Testing interoperability with third-party

components with specific focus on known vulnerabilities

• Testing for misconfiguration• Testing the deployment• Penetration testing


The Challenges We Face• Outlining a clear division of responsibilities with the IT

and software development staff in testing for securities• Getting adequate resource and support to carry out the

testing tasks• Keeping up with new technologies and vulnerabilities

that they bring• Developing and maintaining a knowledge base on an

on-going basis on common test techniques for sharing• Keeping up with the available tools and their

applicability and usefulness in supporting the software security testing


More Information for Testers


Software Testing and QA Roles

• Open discussion– Are we focusing on the right tasks?– Should we do more?– Should we do less?– Any testing techniques you would like to share?– Any other thoughts you would like to share?


About LogiGear® Corporation LogiGear Corporation is the first Silicon Valley-based

software testing company to offer a full range of solutions to advance individual and organizational excellence in software testing. LogiGear offerings include in-depth technical and management expertise in software quality engineering, comprehensive advanced test engineering such as Action Based Testing™, a structured approach to testing and testing automation, and outsource testing solutions, skill-based training curriculum for software testing professionals through LogiGear University, and world-class testing support products including TRACKGEAR, a Web-based defect management solution.

www.LogiGear.com

Documents

The Roles of Software Testing & QA Security Testing