Step 1: Identifying the Scope of Security Testing

The main objectives of security testing are the following:

1. ■ Verify and validate that the applications meet the security requirements.

2. ■ Identify security vulnerabilities of applications in the given environment.

Performing a thorough security assessment of a Web application is a complex task that should be approached like any other software analysis task—with a methodology, testing procedures, set of helpful tools, skills, and knowledge. Manual penetration testing as well as automated tools can be used to uncover critical security vulnerabilities in Web applications. The technology used for development and the vulnerability of the applications determine the correct balance of automated scanning and manual penetration testing to provide the best possible Web application security coverage.

Security testing starts with vulnerability assessment. Vulnerability scanning examines a network for security holes in the network segments for IP-enabled devices and enumerates systems, operating systems, and applications. Apart from identifying the operating system version, IP protocols, and TCP/UDP ports that are listening, vulnerability scanning also identifies the common security threats, such as weak passwords, files with liberal permissions, security configuration problems, and so on.

Security testing strategy for an application or product should be developed for each phase such as development, implementation, deployment, operation, and maintenance. Security testing should preferably be performed by an independent testing team. The test target should be identified using a threat model, and all interfaces such as User interface (UI), sockets, file input, API, mail configuration, and devices should be included under the scope. The performance bottlenecks such as network bandwidth, memory, disk space, files, and sockets should be subject to security testing.

Step 2: Test Case Generation and Execution

The security of an application is tested by attempting to violate the built-in security controls. This technique ensures that the protection mechanisms in the system are adequate enough to secure the application from improper and unauthorized access. The tester overloads the system with continuous requests, thereby denying service to others. The tester may deliberately cause system errors to violate security during recovery or may browse through insecure data to find the key to system entry. The following areas need to be tested for security:

1. ■ User authentication

2. ■ Password management

3. ■ Access controls

4. ■ Input validation

5. ■ Exception handling

6. ■ Secure data storage and transmission

7. ■ Logging

8. ■ Monitoring and alerting

9. ■ Change management

10. ■ Application development

11. ■ Periodic security assessments and audits

Buffer overflow, SQL injection, cross-site scripting, parameter tampering, cookie poisoning, hidden fields, debug options, unvalidated input, broken authorization, broken authentication, and session management are some of the areas around which the test cases should be generated for security testing. Ideally, security testing should be performed at the end of functional integration testing and performance testing. This helps to detect hidden security threats in the application.

After completing security testing, the findings should be summarized in a report. The summary report should contain details such as the types of testing conducted and the security risks identified, with ratings, which helps the business take a decision on deployment of the application.

Network Scanning

Network scanning involves using a port scanner to identify whether all hosts are potentially connected to the organization’s network. This identifies all active hosts and open ports, and some scanners will give additional information on the scanned hosts and applications running on a particular port. This should be executed continuously in the system.

Vulnerability Scanning

Apart from scanning the ports, these tools also report on the associated vulnerabilities. Outdated software versions, unapplied patches and system upgrades, noncompliance deviations from the organization’s security policy, and so on are identified. The negative side of vulnerability scanning is that these tools tend to load the system and continuous update of vulnerability database to capture them.

Password Cracking

Password cracking is a process that verifies whether users are employing strong passwords, by intercepting the password hashes in the network.

Password crackers should be run on the system on a monthly basis, or even continuously, to ensure correct password combination throughout the organization.

Log Reviews

Various system logs can be used to identify deviations from the organization’s security policy, including firewall logs, IDS (abbreviation to be mentioned) logs, server logs, and any other logs collecting audit data on systems and networks. Audit logs can be used to validate that the system is operating according to policies.

Manual audit log review is extremely cumbersome and time consuming. Automated audit tools provide a means of significantly reducing the required review time and to generate reports (predefined and customized) that summarize the log contents to a set of specific activities.

File Integrity Checkers

File integrity checker is a tool to recognize changes to files, particularly unauthorized changes. A file integrity checker computes and stores a checksum for every guarded file and establishes a database of file checksums. Stored checksums should be recomputed regularly to test the current value against the stored value to identify any file modifications. The reference database should be stored off-line so that attacks cannot compromise the system and hide their tracks by modifying the database.

Virus Detectors

All organizations are at risk of “contracting” computer viruses, Trojans, and worms if they are connected to the Internet, use removable media (e.g., floppy disks and CD-ROMs), or use shareware/freeware software. With any malicious code, there is also the risk of compromising or losing sensitive or confidential information. To detect viruses, anti-virus software needs to be installed on network and machines. This antivirus software should have an up-to-date virus identification database (sometimes called virus signatures) that allows it to recognize all viruses. To detect viruses, the anti-virus software compares file contents with the known computer virus signatures, identifies infected files, quarantines and repairs them if possible, or deletes them if not. More sophisticated programs also look for viruslike activity in an attempt to identify new or mutated viruses that would not be recognized by the current virus detection database.

Penetration Testing

Penetration testing is security testing in which evaluators attempt to circumvent the security features of a system on the basis of their understanding of the system design and implementation. It is important to determine how vulnerable an organization’s network is and the level of damage that can occur if the network is compromised. A penetration test can be designed to simulate an inside or an outside attack. If both internal and external testing is to be performed, the external testing usually occurs first. With external penetration testing, firewalls usually limit the amount and types of traffic that are allowed into the internal network from external sources. Depending on what protocols are allowed through, initial attacks are generally focused on commonly used and allowed application protocols such as FTP, HTTP, or SMTP and POP.

Approach and Execution

The usability specialist should identify the transactions that affect and are expected to impact the users in terms of usage of the system. The test cases should be written for the following areas:

1. ■ Site design and page design

2. ■ Navigation aids and common look and feel

3. ■ Page size, file size, making pages resize

4. ■ Effects of fonts on legibility

5. ■ Use of textual elements and formatting lists, block text, and tables

6. ■ Improving Web page accessibility

7. ■ When to use images and how to make images more efficient

8. ■ Appearance of links and where and how to use links

9. ■ Improving user efficiency

The usability specialist can write the test cases in a similar format as the functional test cases. The usability experts who are going to execute these test cases should have some basic knowledge of the usage pattern of Web applications, and the expected results should be documented.

Normally, users from different walks of life who will have access to the system should be chosen for executing and documenting their user experience for the usability test. This will closely reflect the real-world situation. Usability testing should be carried out on a real-time system, on a paper prototype, or on a demo application. One of the most effective forms of inspection-based user testing involves the use of a “usability checklist.” Checklist-based user testing is extremely inexpensive to implement, and requires a surprisingly small number of testers to be effective.

The usability testers can be volunteers who will stop at any time to perform the testing. The testers should feel free to speak their minds without fear of hurting the feelings of the product developer even if their mistakes may mean that the developer will have to do more work. You may think the test is a simple matter, and you may even be bored with it, but the testers might take it very seriously.

Guidelines for Usability Testing

The usability specialist should clearly document the guidelines for preparation of usability test cases, definition of outside user for testing, and test execution guidelines for usability testing. The following are some standard guidelines:

1. ■ For all but the simplest and most informal tests, run a pilot test first.

2. ■ Ensure that testers are made to feel at ease, and are fully informed of any observation. Attend at least one test as a participant to appreciate the stress that the testers/participants undergo.

3. ■ Ensure that participants/testers have the option to abandon any tasks that they are unable to complete.

4. ■ Do not prompt participants unless it is clearly necessary to do so.

5. ■ Record the events in as much detail as possible—to the level of keystrokes and mouse clicks if necessary.

6. ■ If there are observers, ensure that they do not interrupt in any way.

7. ■ Be sensitive to the fact that developers may be upset by what they observe or what you report.

Accessibility Testing and Section 508

In 1998, Congress amended the Rehabilitation Act to require federal agencies to make their electronic and information technology accessible to people with disabilities. Inaccessible technology interferes with an individual’s ability to obtain and use information quickly and easily. Section 508 was enacted to eliminate barriers in information technology, to make available new opportunities for people with disabilities, and to encourage development of technologies that will help achieve these goals. The law applies to all federal agencies when they develop, procure, maintain, or use electronic and information technology. Under Section 508 (29 U.S.C. ‘ 794d), agencies must give disabled employees and members of the public access to information that is comparable to the access available to others. Web accessibility means that people with disabilities should be able to use the Web. More specifically, Web accessibility means that people with disabilities should be able to perceive, understand, navigate, and interact with the Web, and contribute to the Web. Web accessibility also benefits others, including older people with changing abilities due to aging.

The standards define the types of technology covered and set forth provisions that establish a minimum level of accessibility. The application section (1194.2) outlines the scope and coverage of the standards. The standards cover the full range of electronic and information technologies in the federal sector, including those used for communication, duplication, computing, storage, presentation, control, transport, and production. This includes computers, software, networks, peripherals, and other types of electronic office equipment. The standards define electronic and information technology, in part, as “any equipment or interconnected system or subsystem of equipment, that is used in the creation, conversion, or duplication of data or information.”

The standards provide criteria specific to various types of technologies, including the following:

1. ■ Software applications and operating systems

2. ■ Web-based information or applications

3. ■ Telecommunication products

4. ■ Video and multimedia products

5. ■ Self-contained, closed products (e.g., information kiosks, calculators, and fax machines)

6. ■ Desktop and portable computers

This section provides technical specifications and performance-based requirements that focus on the functional capabilities of covered technologies. This dual approach recognizes the dynamic and continually evolving nature of the technology involved as well as the need for clear and specific standards to facilitate compliance. Certain provisions are designed to ensure compatibility with adaptive equipment that people with disabilities commonly use for information and communication access, such as screen readers, Braille displays, and TTYs.

Most of the specifications for software pertain to usability for people with vision impairments. For example, one provision requires alternative keyboard navigation, which is essential for people with vision impairments who cannot rely on pointing devices, such as a mouse. Other provisions address animated displays, color and contrast settings, flash rate, and electronic forms, among others.

The criteria for Web-based technology and information are based on access guidelines developed by the Web Accessibility Initiative of the World Wide Web Consortium. Many of these provisions ensure access for people with vision impairments who rely on various assistive products to access computer-based information, such as screen readers, which translate what’s on a computer screen into automated audible output, and refreshable Braille displays. Certain conventions, such as verbal tags or identification of graphics and format devices, such as frames, are necessary so that these devices can “read” them for the user in a sensible way. The standards do not prohibit the use of Web site graphics or animation. Instead, the standards aim to ensure that such information is also available in an accessible format. Generally, this means use of text labels or descriptors for graphics and certain format elements. (HTML code already provides an “Alt Text” tag for graphics that can serve as a verbal descriptor for graphics.) This section also addresses the usability of multimedia presentations, image maps, style sheets, scripting languages, applets and plug-ins, and electronic forms.

The standards apply to federal Web sites but not to private sector Web sites (unless a site is provided under contract to a federal agency, in which case only that Web site or portion covered by the contract would have to comply). Accessible sites offer significant advantages that go beyond access. For example, those with “text-only” options provide a faster downloading alternative and can facilitate transmission of Web-based data to cell phones and personal digital assistants.

The criteria of this section are designed primarily to ensure access to people who are deaf or hard of hearing. This includes compatibility with hearing aids, cochlear implants, assistive listening devices, and TTYs. TTYs are devices that enable people with hearing or speech impairments to communicate over the telephone; they typically include an acoustic coupler for the telephone handset, a simplified keyboard, and a visible message display. One requirement calls for a standard nonacoustic TTY connection point for telecommunication products that allow voice communication but also provide TTY functionality. Other specifications address adjustable volume controls for output, product interface with hearing technologies, and the usability of keys and controls by people who may have impaired vision or limited dexterity or motor control.

Multimedia products involve more than one media and include, but are not limited to, video programs, narrated slide production, and computer-generated presentations. Provisions address caption decoder circuitry (for any system with a screen larger than 13 inches) and secondary audio channels for television tuners, including tuner cards for use in computers. The standards also require captioning and audio description for certain training and informational multimedia productions developed or procured by federal agencies. The standards also provide that viewers be able to turn captioning or video description features on or off.

Section 508 covers products that generally have embedded software but are often designed in such a way that a user cannot easily attach or install assistive technology. Examples include information kiosks, information transaction machines, copiers, printers, calculators, fax machines, and similar types of products. The standards require that access features be built into the system so that users do not have to attach an assistive device to it. Other specifications address mechanisms for private listening (handset or a standard headphone jack), touchscreens, auditory output and adjustable volume controls, and location of controls in accessible reach ranges.

Section 508 also focuses on keyboards and other mechanically operated controls, touch screens, use of biometric form of identification, and ports and connectors.

The performance requirements mentioned in Section 508 are intended for overall product evaluation and for technologies or components for which there is no specific requirement under the technical standards in Subpart B. These criteria are designed to ensure that the individual accessible components work together to create an accessible product. They cover operation, including input and control functions, operation of mechanical mechanisms, and access to visual and audible information. These provisions are structured to allow people with sensory or physical disabilities to locate, identify, and operate input, control, and mechanical functions and to access the information provided, including text, static, or dynamic images, icons, labels, sounds, or incidental operating cues. For example, one provision requires that at least one mode allow operation by people with low vision (visual acuity between 20/70 and 20/200) without relying on audio input because many people with low vision may also have a hearing loss.

The standards also address access to all information, documentation, and support provided to end users (e.g., federal employees) of covered technologies. This includes user guides, installation guides for end-user installable devices, and customer support and technical support communications. Such information must be available in alternate formats upon request at no additional charge. Alternate formats or methods of communication can include Braille, cassette recordings, large print, electronic text, Internet postings, TTY access, and captioning and audio description for video materials.

A standard set of test cases is given in the government Web site that can be used to guide accessibility testing. (Reference: http://www.section508.gov.)