Software Security - Week 11

Security Testing

• Security testing identifies vulnerabilities and potential threats in software systems, networks, or applications.
• It focuses on finding loopholes and weaknesses that might result in data loss or reputational damage.

Security Testing - Goals

• Identify assets: Determine what needs protection (applications, data, servers, APIs, user credentials, etc.).
• Identify threats and vulnerabilities:
  • Threats: potential attacks.
  • Vulnerabilities: system flaws that can be exploited.
• Identify risk: Determine the likelihood and impact of a threat exploiting a vulnerability. Risk is calculated as: Risk = Threat \times Vulnerability \times Impact
• Perform remediation: Fix identified issues through patching, configuration changes, or mitigation strategies.

Principles of Security Testing

• Confidentiality
• Integrity
• Authentication
• Authorization
• Availability
• Non-repudiation

Types of Security Testing

• Vulnerability Scanning: Automated software scans systems for known vulnerability signatures.
• Security Scanning: Identifies network and system weaknesses, providing solutions to reduce risks. Can be manual or automated.
• Penetration Testing: Simulates an attack by a malicious hacker to check for potential vulnerabilities.
• Risk Assessment: Analyzes security risks within the organization, classifying them as Low, Medium, or High, and recommends controls to reduce risk.
• Security Auditing: Internal inspection of applications and operating systems for security flaws, possibly via line-by-line code inspection.
• Ethical Hacking: Hacking an organization's systems with the intent to expose security flaws, not for personal gain.
• Posture Assessment: Combines Security scanning, Ethical Hacking and Risk Assessments to show an overall security posture of an organization.

Example Test Scenarios for Security Testing

• Passwords should be encrypted.
• Applications/systems should not allow invalid users.
• Cookies and session times should be checked.
• The browser back button should not work on financial sites.
• Proper access controls should be enforced.
• Error messages should not reveal sensitive information.
• Systems should lock out users after multiple failed login attempts.

Security Testing Techniques

• Black Box Testing: Tests functionality without knowledge of internal code.
• White Box Testing: Tests internal code structure and logic.
• Gray Box Testing: Combines elements of both black and white box testing.

SDLC vs Security Processes

The integration of security processes throughout the Software Development Life Cycle (SDLC) phases, highlighting security analysis, security test plan creation, black box testing, security white box testing, penetration testing, vulnerability scanning, black box and vulnerability scanning, and impact analysis across Requirements, Design, Coding & Unit Testing, Integration Testing, System Testing, Implementation, and Support stages.

Black Box Testing

• Black box testing tests software functionalities without knowledge of internal code structure or implementation details.
• It focuses on the input and output of software applications, based on software requirements and specifications. Also known as Behavioral Testing.

Types of Black Box Testing

• Functional testing: Tests the functional requirements of a system.
• Non-functional testing: Tests non-functional requirements like performance, scalability, and usability.
• Regression testing: Checks that new code does not affect existing code after fixes, upgrades, or maintenance.

Functional Testing

• Functional testing evaluates security features and controls to ensure effective mitigation of security risks.
• Authentication and Authorization Testing:
  • Verifies that authentication mechanisms (login forms, password resets) function correctly.
  • Ensures only authorized users access protected resources and that access controls are enforced.
• Input Validation Testing:
  • Validates how the system handles various input types (valid, invalid, malicious).
  • Aims to prevent common security vulnerabilities like SQL injection, XSS, and command injection.
• Session Management Testing:
  • Verifies that session management features (session creation, expiration, termination) function correctly.
  • Ensures session identifiers are securely generated, stored, and invalidated to prevent session-related attacks.
• Data Confidentiality and Integrity Testing:
  • Validates that data encryption and integrity mechanisms (SSL/TLS encryption, cryptographic hashing) are implemented correctly.
  • Ensures sensitive data is encrypted during transmission and storage, and that cryptographic algorithms are properly configured and utilized.

Functional Testing Approaches

• Manual Functional Testing: Testers manually create and execute test cases to evaluate functionality.
• Automated Functional Testing: Automates the entire functional testing process using test automation tools, saving time and resources.

Functional Testing Types

• Unit Testing:
  • Tests individual components to ensure they meet specific security requirements.
  • Drills down to the smallest testable parts of the code to assess their security properties.
  • Example: User Login
    • Authentication Function: Returns true if the credentials match and false otherwise.
    • Input Validation: Rejects invalid inputs and prevents security vulnerabilities.
    • Password Hashing: Ensures that the hashed passwords are different from the original passwords and that the hashing process is deterministic and secure.
    • Access Control: Ensure that all unit tests pass, indicating that the security features, such as input validation, password hashing, and access control, are functioning correctly.
• Integration Testing:
  • Verifies interactions and compatibility between different components to ensure security features function as expected.
  • Example: Secure Data Access Integration Test: Validate the integration of authentication, authorization, and secure data transmission mechanisms.
• Interface Testing:
  • Focuses on testing the interfaces between the application and external systems.
  • Example: web-based e-commerce application: Ensure that the interfaces between the e-commerce application and external services are secure, reliable, and conform to specifications.
• System testing:
  • Evaluating the security of the entire software system or application to ensure that it meets security requirements, standards, and objectives
  • Example : web-based banking application: Ensure that the web-based banking application meets security requirements and standards to protect sensitive financial information and prevent unauthorized access or fraud.
  • The system includes various components such as user authentication, account management, funds transfer, and transaction processing.
• Regression Testing:
  • Verifies that previously identified security vulnerabilities have been remediated and that new changes do not reintroduce known issues.
• Smoke Testing: During the initial phase of development, which are not yet stable, and ensures that if any major functionality is not working as expected during testing, that particular build is rejected.
• Acceptance Testing:
  • Ensures the system meets security requirements and standards set by stakeholders before deployment.
  • User Acceptance Testing (Beta Testing): Performed by real users to ensure the application meets their needs.
  • Business Acceptance Testing: Ensures the application meets business requirements and goals.
  • Regulation Acceptance Testing: Ensures the application does not violate any legal regulations.

Functional Testing Process

1. Understand the requirements
2. Prepare a test plan
3. Write test cases
4. Create input data according to requirements
5. Execute test cases
6. Compare actual and expected outcome through result validation
7. Log defects

Non-functional Testing Types

• Non-functional testing assesses how well the system meets security-related criteria and requirements.
• Types: Portability, Interportability, Reusability, Security, Reliability, Survivability, Availability, Scalability, Efficiency, Flexibility, Integrity, Usability

Tools used for Black Box Testing

• Functional/Regression Tests: QTP, Selenium
• Non-Functional Tests: LoadRunner, Jmeter

White-box Testing

• White Box Testing is a testing technique in which software’s internal structure, design, and coding are tested to verify input-output flow and improve design, usability, and security.
• Also called Clear box testing, Open box testing, Transparent box testing, Code-based testing, and Glass box testing.

Process of White Box Testing

• Input: Requirements, Functional specifications, design documents, source code.
• Processing: Performing risk analysis.
• Proper test planning: Designing test cases to cover the entire code. Execute rinse-repeat until error-free software is reached. Also, the results are communicated.
• Output: Preparing final report of the entire testing process.

Key practices in white-box testing

• Code Review: Review the application's source code, including algorithms, data structures, and logic, to identify potential vulnerabilities. Example char buffer[10]; strcpy(buffer, userInput);
• Static Analysis: Use static analysis tools to scan code for known patterns of security issues, such as unsafe function calls, insecure configuration settings, and hard- coded credentials.
• Code Analysis: Review code line by line to identify potential security risks, such as insecure data handling, lack of input validation, or improper error handling.
• Penetration Testing: Simulate real-world attacks to exploit vulnerabilities discovered during analysis and assess the system's resilience.
• Security Standards Compliance: Assess code against secure coding guidelines, compliance with security standards (e.g., OWASP Top 10), and regulatory requirements (e.g., GDPR, HIPAA).
• Secure Coding Practices: Implement techniques such as input validation, output encoding, parameterized queries, least privilege principle, and proper error handling to mitigate common security risks.

White-box testing techniques

• Statement Coverage: aims to ensure that all executable statements in the code have been exercised at least once during testing.
• Condition coverage: (predicate coverage or Boolean coverage), ensures each individual condition in a decision point (such as an if statement or loop condition) is evaluated to both true and false during testing.
• Multiple condition coverage: (decision coverage or all-paths coverage), ensures all possible combinations of conditions within a decision point (such as an if statement or loop) are tested at least once during testing.
• Path Testing: create control flow graphs from code or flowchart and then Cyclomatic complexity is calculated which defines the number of independent paths so that the minimal number of test cases can be designed for each independent path.
• Loop Testing: identify and mitigate security risks associated with loops, such as those related to input validation, access control, authentication, and session management.