 Security Testing
 Security
testing looks for weaknesses in the system that might be exploited
by criminals. Most networks have a software or hardware firewall,
but this wall has holes, or ports, through which the outside
world can gain access to the computers inside the protected area.
These ports are set up intentionally to provide access for web
servers, mail servers, FTP servers, peer to peer file sharing
programs, remote diagnostic tools, instant messaging, etc. There
could well be over a hundred ports through which outsiders can
gain access.
Security testing looks for vulnerabilities in the software
that is set up to handle traffic from a particular port, or range
of ports. For example, Microsoft's Internet Information Service
is a web server that is known to have many holes in its security.
Microsoft has issued many corrections and fixes to try and plug
these holes.
Browsers, such as Internet Explorer, can allow outsiders to
gain access through various means. It is important to keep such
software up to date by installing the manufacturer's latest fixes.
Recommended free resource: Open Web Application Security Project.
Hacking software is readily available on the Internet, and
is often downloaded and used by "script kiddies"; this
is the name given to teenage hackers who want to try and break
into a system for fun, but may not have more than a basic knowledge
of how to do so. They download a hacking script and run it against
thousands of computers overnight, checking which ones have holes
in their security. Then they check out the unprotected computers
more thoroughly.
This same software can be downloaded by your organisation
and run against your own computer network to test out your own
security.
Some obvious things to check for:
- password lists in a readable format, such as text or Microsoft
DOC format;
- databases with sensitive data that is not encrypted and password
protected;
- programs exposed to the outside world, so that the binary
code could be altered;
- user lists in a readable format;
- programs with access to sensitive data with a user interface
that does not ask for a password;
- a network with a dial-in modem but no or poor security;
- backup tapes or disks exposed to the outside world, either
physically via an unprotected storage room, or logically through
the network;
- a login procedure that can be compromised by a robot program
entering words from a dictionary.
Threat Modeling is looking at an application from an
adversary’s perspective and understanding what he would
seek to exploit and what countermeasures are in place. Develop
realistic threat scenarios. Analyze the design and architecture
to ensure that these threats have been mitigated, accepted by
the business, or assigned to a third party, such as an insurance
firm. When identified threats have no mitigation strategies,
revisit the design and architecture with the systems architect
to modify the design.
Testers must use a risk-based approach, grounded in both the
system’s architectural reality and the attacker’s mindset,
to guage software security adequately. By identifying risks in
the system and creating tests driven by those risks, a software
security tester can properly focus on areas of code in which
an attack is likely to succeed. This approach provides a higher
level of software security assurance than possible with classical
black-box testing.
Note that security testing is all about risk assessment and
mitigation, but that the company (or department) may decide that
the mitigation is not worth the cost of prevention. While this
is frustrating for the testers, it is a management decision based
on costs and other factors, and at the end of the day, it is
management that makes the decisions. |