Security Testing Literacy

By Benoit Poudrier, Automation Specialist

November 3, 2017

Let’s take a moment to talk about Security Testing and why I think it’s incredibly important for every project to undergo this type of testing. By now, I’m sure you’ve heard of a few cases where a company or person has been hacked maliciously and how expensive, time consuming and frustrating it can be. Sadly, these situations seem to be emerging more and more and one of the primary concerns is insufficient security and software vulnerability.

The purpose of this article is to give you a brief introduction to Security Testing in order to raise awareness about professionals with security testing expertise and why they do it. The costs of an exposed security vulnerability after release to the public can be overwhelming and extremely difficult to recover from, which is why learning about cybersecurity is essential. At a time when almost every business, device, method of communication or transaction is connected to the internet, it’s imperative for every company to be aware of the risks that accompany storing and archiving data online.

To me, it’s no longer a matter of if you get hacked. It’s a matter of when you get hacked. 

Definition

Security Testing encompasses different types of tests and procedures with the intent of verifying the integrity and security of your application. It exists to find weaknesses and loopholes in your software before its released to the general public and, the earlier it can be implemented in your development and testing processes, the less it will cost to fix potentially exploitable mistakes that are found in the future. The expense to address a potentially exploited weakness goes up as you approach the final stages of your application development and release.

Although there are many roles that are involved with security testing one of the most technical is that of a penetration tester. Penetration testers have a deep understanding of today’s security issues and vulnerabilities. They use various tools in order to help you discover your own cybersecurity weaknesses so that you can fix and address them before they make it out to the public. Additionally, you can bring manual testers onboard to run simple tests in day-to-day testing routines to help find potential susceptibilities. An example would be a simple SQL injection in any text box on the website or in the URL itself for each accessible page.

Who Needs This?

Pretty much everyone that produces software requires some level of security testing, especially when interacting with sensitive data such as credit cards, banking, passwords or user account information. In this day and age, every software company and website developer should have someone inspect the resilience of their security.

Tools

There are a great deal of tools available to help detect and identify security vulnerabilities. Some are standalone tools while others can be a suite of tools that are able to navigate a website or application to look for security issues. Penetration testers utilize these tools in order to detect flaws in more efficient manner.

Here are few of the more popular tools:

Linux even has its own distribution built to test security. It’s called Kali Linux  and it comes with a wide variety of pre-installed programs.

What Can Be Hacked?

Almost everything that requires a computer is exposed to cyber hacking. Here are a few examples:

  • Vehicles: Two hackers demonstrated that Jeep Cherokees could be hacked with a zero-day exploit. They managed to hack the vehicle from home while someone was driving it on the highway in order to prove that it could be done. They were able to manipulate the entertainment system settings and even managed to completely shut off the engine even while a volunteer was driving the car.
  • Credit Card: Just this year, Equifax was hacked and that became one of the worst security breaches in American history, affecting 143 million people. That’s equivalent to 44 percent of the U.S. population. The hackers not only obtained credit card numbers, but also managed to gain access to birth dates, addresses, social security numbers and driver’s license numbers.
  • Healthcare: Anthem, an American health insurance company, was hacked in February of 2015. The accounts of 78.8 million people were affected and their personal information exposed.
  • Video Games: The Sony PlayStation Network suffered a hack in 2011 and the resulting outage to fix the problem lasted for 23 days. 77 million accounts were exposed and the outage itself cost $171 million.

This goes to show that companies and products from various industries can easily be targeted. Links to these stories can be found in the references section at the end of this article.

If you look into the Internet of Things, you’ll realize that while organizations and individuals continue to store and circulate information in cyberspace, we become increasingly vulnerable to hackers more than ever before. Admittedly, extensive access to information makes life more convenient, but at what cost?


Top Security Issues Lists

There are two lists of security issues that mark the top security flaws found in applications today. These lists exist to help developers understand the potential issues while developing their applications, as well as to help others gauge the specific risks to their applications.

These pages offer a lot of information for all platforms.

Threat Risk Modeling

Threat risk modeling is an essential process for secure web application development. It’s a way to plan around potential risks your software, security or assets could face so that you can develop a strategy to protect yourself.

It allows organizations to determine the correct controls and to produce effective countermeasures within budget. For example, there is little point in spending 100 thousand dollars for fraud control on a system that has almost no fraud risk.

The threat risk modeling process has five steps. They are:

  1. Identify Security Objectives
  2. Survey the Application
  3. Decompose it
  4. Identify Threats
  5. Identify Vulnerabilities

For more information, click here.

Bug Bounties

Now, if you work in Security Testing, one way to challenge yourself is to look at Bug Bounties online. Bug Bounties have been around since 1995. Companies offer to reward Ethical Hackers (White Hat) for helping them find vulnerabilities in their software and reporting them so that they can be fixed. Here are a few Bug Bounty websites:

An example would be Google’s $5,000 prize for an XSS vulnerability or cross site scripting, one of the most prevalent vulnerabilities found in the mail attachment feature in iOS. Read the full story here.

Canary Tokens

Canary Tokens are files that you can create and fill with fake data in order to lure hackers. These files are a trap that will notify you, via email, once they are opened by anyone. In the email, you will receive the IP address of the person attempting to gain unauthorized access to information.

There are a few websites that offer this service. CanaryTokens is one site in particular offers examples and fake data that you can use.

Conclusion

Ultimately, Security Testing should be a crucial part of any product or development process. While it has been overlooked in the past, studies have shown that as years go by, humans will use cyberspace even more than they do now in order to process and store both arbitrary and sensitive information. Because of this, we need to build an awareness of security hacks that organizations can face, how to prevent them through security testing and how to repair them when the flaws are exposed.

References

Hacking examples:

 


Do you and your team want to learn more about Security Testing Literacy? Contact us! At PQA, we pride ourselves in being Canada’s leading experts in software testing. We would love to speak with you about how we can support your team.


 

About Benoît Poudrier

Benoît Poudrier is an Automation Specialist at PQA Testing. Ben has been immersed in programming and QA for over 10 years. He has worked in various roles throughout his career and his experience working with a broad range of clients has provided Ben with a wide array of skills. He has performed manual, functional, automated and performance testing, and he has built regression testing suites for several clients. In addition to training many people on Ranorex automation, he has designed and implemented various automation frameworks while working at PQA. Ben has spent over a year learning about security testing on his own through various online courses and through extensive research on a wide range of security-oriented topics.

https://www.linkedin.com/in/benoit-poudrier-807a1323/

PQA on Twitter