State of Testing Survey 2018

Hey guys, the #StateofTesting survey is closing today. It doesn’t take too long to complete and will help the QA community around the globe to see what are the trends and challenges in our area.

The link to vote is http://qablog.practitest.com/state-of-testing/

Starting with security testing

Security test is a group of measures to secure an application against unforeseen actions that can cause the application to stop or to expose data. These actions can be intentional (caused by hackers) or unintentional. So apart from the obvious reasons why you should be sure your application is not vulnerable, you have at organization level:

  • Responsibility
  • Corporate responsibility
  • Regulatory bodies
  • Compliance
  • Legal
  • Financial

And at the technical point of view:

  • Integrity
  • Authorisation
  • Confidentiality
  • No repudiation
  • Availability
  • Authentication

 

So, what should you do when creating some security tests ?

You need to seek permission before you start, then try to learn on sandbox applications or virtual machine, not real environments. Keep focused when doing the tests and prepare in advance threat modelling/survey sessions.

The web security vulnerabilities are prioritized depending on exploitability, detectability and impact on software.

  • What is needed to exploit the security vulnerability? 

Highest exploitability when the attack needs only web browser and lowest being advanced programming and tools.

  • How easy is it to detect the threat? 

Highest being the information displayed on URL, Cookies, Form or Error message and lowest being source code.

  • How much damage will be done if the security vulnerability is exposed or attacked?

Highest being complete system crash and lowest being nothing at all

 

Threat modelling

A range of techniques for analyzing the security of an application, examples:

  • Data flow diagrams
  • Threat categorization
  • Trust levels

 

You need to understand how the data is manipulated in all levels:

  • Entered
  • Stored
  • Transported
  • Presented

 

What are the assets you want to protect, which can be physical or abstract:

  • Reputation
  • Customer data/client
  • Corporate data

 

Threat Modelling – STRIDE

  • Spoofing
  • Tampering
  • Repudiation
  • Information Disclosure
  • Denial of service
  • Elevation of privilege

 

There are so many ways to check if your application is vulnerable, like:

  • User Inputs
  • Error messages
  • URLs
  • Files and attachments
  • Request/Response headers
  • Insecure User Credentials
  • APIs
  • Cookies

 

If you want to test injection flaws for example, you can exploit by submitting untrusted data, also it is very common and easy to exploit causing extremely damaging problems if not fixed. This type of issue can affect UI elements, URLs, parameters in requests and cookies. Examples of Injection are SQL Injection and Cross Site Scripting,

 

Broken Authentication and Session Management

The causes of a insecure session management may lead to session hijacking, spoofing or fixation and to escalation of privilege. Fairly common, simple to exploit, but can have wide ranging and damaging impact. It can affect session tokens, user credentials, request parameters.

 

Tools

 

Resources:

https://google-gruyere.appspot.com/

https://www.pluralsight.com/courses/hack-yourself-first

https://www.owasp.org/index.php/Main_Page

https://www.ministryoftesting.com/

https://www.guru99.com/web-security-vulnerabilities.html