Zen and the art of Security Testing
2 likes1,617 views
The document discusses the integration of security testing into software development, emphasizing the need to go beyond functional testing to identify vulnerabilities. It highlights the use of user stories to derive security test cases, considering both potential threats ('bad guys') and protective measures ('good guys'). The content also covers various testing techniques and tools to help ensure software security throughout the development lifecycle.
Zen and the art of Security Testing
- 1. Zen and the Art of Security Testing Testing for security issues as a variation on what you already do
- 2. About Cigital UK and US consulting firm specializing in software security. Global leader in helping organizations build security in. Over 20 years of research and successful software security consulting engagements throughout the world. Offers consulting, training, mobile application security. Published in books, white papers, and articles.
- 3. About Me • Consultant 13 years • Software security: code, design, risk • Financial, gaming, retail • Source code, architecture, security testing • (ISC)² European Advisory Council • CISSP and CSSLP exam item author • Author: 2 books + 1 chapter • OWASP Mobile Top Ten contributor • BS and MS in Computer Science • Passionate about software testers as an untapped resource in software security
- 5. The Inspiration Before one studies Zen, mountains are mountains and waters are waters; after a first glimpse into the truth of Zen, mountains are no longer mountains and waters are no longer waters; Photo: © 2009 Abi Skipp, via Flickr
- 6. The Metaphor Before one learns security testing, software is software and test cases are test cases; after a first glimpse into security testing, software is no longer software and test cases are no longer test cases;
- 7. Functional Testing vs. Security Testing Testing against the design/requirements is not enough: Design specification & requirements Actual implementation Missing features (found in functional testing) Potential security vulnerabilities (not found in functional tests) Boundary condition analysis (edge and corner cases) Security testers must think “outside the box”
- 8. Goals • Finding places in the user journey to do security testing • Working that into user stories • Working it into tests • Modifying existing test cases to cover security • Use tools for intercepting and modifying web requests www.eurostarsoftwaretesting.com
- 9. INJECTING SECURITY TESTS INTO USER STORIES the fundamentals www.eurostarsoftwaretesting.com
- 10. Agile User Story As a customer, I want to change my shipping address so that packages will come to my new address
- 12. Security User Stories User Story As a customer, I want to track the shipment of my order so that I know when it will arrive. Security Story As a fraudster, I want to see the details of an order that is not my own so that I can learn another person’s private information. 12
- 13. “Bad Guys” in Security User Stories Bad Guys • Competitor • Misbehaving customer • Hacker • Journalist • Criminal • Vandal • Disgruntled employee Goals • Learn private information • Commit a fraudulent transaction • Damage the company’s brand • Prevent people from doing their job • Sell valuable information
- 14. “Bad Guy” User Stories Acceptance Criterion Given that the user is logged in And the session is valid And the request is for an order that does not belong to the logged-in user, When the user requests details Then display an error message And ensure the user is no longer logged in And log an error to the application log. As a criminal, I want to see the details of an order that is not mine So that I can learn private information of another person
- 15. “Good Guys” in Security User Stories Users • Fraud Analyst • Customer Service Rep • System Operator • Well-behaved user • Manager • Auditor Goals • Verify a transaction • Determine some important information • Report on error conditions • Display the status of something 15
- 16. “Good Guy” User Stories As a security analyst, I want to see a list of sessions with unusal characteristics So that I can identify and terminate bot and fraud sessions As a registered user, I want to receive a notification when a new device is added to my account So that I know how many devices are attached to my account
- 17. Goals of Security User Stories • Identify an important actor (developers, security people, IT people are usually not important) • Identify an action or activity with tangible outputs • An easy tangible output is an error message • Force the business to be engaged by getting them to describe these output • Create test cases that exercise the software that way • Can you make the error message appear? www.eurostarsoftwaretesting.com
- 19. Web Security Testing vs. Network Penetration Testing Penetration Testing • Finds services and open ports • Checks for vulnerable or misconfigured components • Often targets standard software, COTS Web Security Testing • Focuses on what is running over HTTP(S) • System usually contains custom-built code • Requires deeper knowledge of business processes and rules
- 20. The Idea Functional Testers Know the Most! • Test data to exercise this whole flow • Insert security test data at each point o SQL injection o XML o Cross-site scripting (XSS) o JSON o CSV www.eurostarsoftwaretesting.com
- 21. Old Skool: Boundary Value Testing Example Scenario • App allows you to share mobile minutes • 1000 minutes across 3 lines • Inputs are non-negative, integer minute values • Must sum to exactly 1000 • 0 and 1000 are valid Examples Line 1 250 Line 2 250 Line 3 500 Total 1000 Line 1 0 Line 2 1000 Line 3 0 Total 1000 Line 1 1 Line 2 1 Line 3 998 Total 1000 www.eurostarsoftwaretesting.com
- 22. Old Skool: Boundary Value Testing Boundary Values • One more, one less, and boundary value • -1, 0, 1, 999, 1000, 1001 • This is testing 101 A few other interesting ones • MAXINT • MININT Examples Line 1 -1 Line 2 0 Line 3 1 Total err Line 1 999 Line 2 1000 Line 3 1001 Total err Line 1 -1 Line 2 0 Line 3 1001 Total err www.eurostarsoftwaretesting.com
- 23. Equivalence Class Partitioning Sampling from Equivalence Classes • Negative numbers • Aphabetic characters • Character set, encoding variations • Unicode UTF-8 • Unicode UTF-16 • Unicode ISO-8859-1 • Null / missing / empty Examples Line 1 ABCD Line 2 500 Line 3 500 Total err Line 1 完全な失敗 Line 2 başarısızlık Line 3 ﻞﺸﻓ Total err Line 1 Line 2 1 Line 3 998 Total err www.eurostarsoftwaretesting.com
- 24. Security and Equivalence Class Partitioning New Equivalence Classes • SQL Injection 'or 1=1; -‐-‐ ' and 'A'='A'; • Cross-site scripting <script> <img src="http://.../"…> • Other encoding issues • URI encoding • HTTP encoding • Base64 misalignments • Etc. Examples Line 1 ‘ or 1=1’; Line 2 ’ and a=a; -- Line 3 ‘ group by -- Total err Line 1 <script> Line 2 <body onload=> Line 3 <a onmousover> Total err www.eurostarsoftwaretesting.com
- 25. Where do I get these test data? • Cross-site Scripting (XSS) • OWASP Cross Site Scripting Cheat Sheet • https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sh eet • http://htmlpurifier.org/live/smoketests/xssAttacks.php • SQL Injection • SQLNinja • SQLMap • Kali Linux (many security tools built in) • HTML, XML, JSON www.eurostarsoftwaretesting.com
- 26. SECURITY TOOLS FOR WEB TESTING www.eurostarsoftwaretesting.com
- 27. Two Important Tools 1.Firebug 2.Burp (don’t forget Selenium) www.eurostarsoftwaretesting.com
- 28. Firebug • Add-on for Firefox (http://getfirebug.com/) • Views the DOM as it really is • Interactively manipulates the DOM • Great things to do: • Undo disabled="true" • Identify XPATH for Selenium www.eurostarsoftwaretesting.com
- 29. Intercepting Traffic • Local proxy acts as man-in- the-middle • HTTPS traffic is decrypted and viewable in plain text in local proxy • Insert data that you can’t put into a field via the browser • See hidden fields, cookies, etc. Even HTTPS traffic can be intercepted: Tester’s Machine Server Tester’s Browser Tester’s Proxy HTTPS Tunnel 1 HTTPS Tunnel 2
- 30. Burp Proxy • Start local proxy and configure interface and port to listen to • If necessary, configure upstream proxy server(s) You can run a local HTTP proxy on your own machine:
- 31. Security Testing Monitor, intercept, and rewrite traffic in your local proxy:
- 33. Bypassing All Client Side Checks • After inputs are checked • Before they’re received by the server Works on Mobile Too Tester’s Machine Server Tester’s Browser Tester’s Proxy Rewrite responses?
- 34. Wrapping Up
- 35. Everyone who has something to do with SOFTWARE has something to do with SOFTWARE SECURITY
- 36. Wrapping Up • User stories let us describe security behaviour • Good Guys • Bad Guys • Error messages • Put security test data into standard functional tests • Get test data ideas from OWASP • Get free tools and try them • Use a proxy to intercept and modify HTTP communication www.eurostarsoftwaretesting.com
- 37. 37 The best time to plant an oak tree was twenty years ago. The next best time is now. —Ancient Proverb Paco Hope, CISSP,CSSLP paco@cigital.com Twitter: @pacohope