What is security testing?
Security testing is basically a type of Software testing that’s done to check whether the application or the product is secured or not. It is a type of non-functional testing. It checks to see if the application is vulnerable to attacks if anyone hacks the system or login to the application without any authorization.
The security testing is performed to check whether there is any information leakage in the sense by encrypting the application or using the wide range of software and hardware and firewall etc. It is a process to determine that an information system protects data and maintains functionality as intended.
The six basic security concepts that need to be covered by security testing are:
1.Confidentiality:- Confidentiality is a set of rules or a promise that limits access or places restrictions on certain types of information. Confidentiality is roughly equivalent to privacy.
Measures were undertaken to ensure confidentiality is designed to prevent sensitive information from reaching the wrong people while making sure that the right people can in fact get it: Access must be restricted to those authorized to view the data in question.
2.Integrity:- Integrity involves maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle. Data must not be changed in transit, and steps must be taken to ensure that data cannot be altered by unauthorized people (for example, in a breach of confidentiality). These measures include file permissions and user access controller.
3.Authentication:- Authentication is, quite simply, verification of who or what someone is. Authentication is required in systems all across the commerce and business in order to verify the identity of someone issuing a command, placing an order, or inquiring about information.
Authentication is necessary in almost all interactions of importance in day to day life, whether one is attempting to withdraw money from a bank account, find information about their personal records, place an order with a credit card, or pay off a student loan.
4.Authorization:- Authorization is when a party or entity is given the permission or has the power, to perform a certain task. In complex organizations and structures, authorization is often painstakingly delegated to make sure that very specific people have the authority to decide important tasks or actions.
Often, the more authorization an entity has to decide on matters of importance, the more authentication is required to take those actions.
5.Availability:- Availability is best ensured by rigorously maintaining all hardware, performing hardware repairs immediately when needed and maintaining a correctly functioning operating system environment that is free of software conflicts. It’s also important to keep current with all necessary system upgrades.
6.Non-repudiation:- Non-repudiation is a method of guaranteeing message transmission between parties via digital signature and/or encryption. It is one of the five pillars of information assurance (IA). The other four are availability, integrity, confidentiality and authentication. Nonrepudiation is often used for digital contracts, signatures and email messages.
By using a data hash, proof of authentic identifying data and data origination can be obtained. Along with digital signatures, public keys can be a problem when it comes to non-repudiation if the message recipient has exposed, either knowingly or unknowingly, their encrypted or secret key.
- Threat:- A potential event that will have an unwelcome consequence if it becomes an attack.
- Vulnerability:- A weakness in a system, such as a coding bug or a design flaw.
- Attack:- Occurs when an attack has a motive and takes advantages of a vulnerability to threaten an asset.
- Asset:- Also referred to as threat target.
- A fault may remain latent or may be surfaced as a failure when the code is executed.
- A vulnerability may remain latent or may be exploited by an attacker, enabling an attack.
Security Testing Taxonomy:-
Common terms used for the delivery of security testing:
- Discovery -The purpose of this stage is to identify systems within scope and the services in use. It is not intended to discover vulnerabilities, but version detection may highlight deprecated versions of software/firmware and thus indicate potential vulnerabilities.
- Vulnerability Scan – The reported risk level is set automatically by the tool with no manual verification or interpretation by the test vendor. This can be supplemented with credential based scanning that looks to remove some common false positives by using supplied credentials to authenticate with a service such as local windows accounts.
- Vulnerability Assessment – This uses discovery and vulnerability scanning to identify security vulnerabilities and places the findings into the context of the environment under test. An example would be removing common false positives from the report and deciding risk levels that should be applied to each report finding to improve business understanding and context.
- Security Assessment – Builds upon Vulnerability Assessment by adding manual verification to confirm exposure, but does not include the exploitation of vulnerabilities to gain further access. Verification could be in the form of authorized access to a system to confirm system settings and involve examining logs, system responses, error messages, codes, etc.
- Penetration Test – Penetration test simulates an attack by a malicious party. Building on the previous stages and involves exploitation of found vulnerabilities to gain further access. Using this approach will result in an understanding of the ability of an attacker to gain access to confidential information, affect data integrity or availability of a service and the respective impact. This approach looks at the depth of attack as compared to the Security Assessment approach that looks at the broader coverage.
- Security Audit – Driven by an Audit / Risk function to look at a specific control or compliance issue. Characterized by a narrow scope, this type of engagement could make use of any of the earlier approaches discussed vulnerability assessment, security assessment, penetration test.
- Security Review – Verification that industry or internal security standards have been applied to system components or product. This is typically completed through gap analysis and utilizes build/code reviews or by reviewing design documents and architecture diagrams. This activity does not utilize any of the earlier approaches (Vulnerability Assessment, Security Assessment, Penetration Test, Security Audit).
What is SQL Injection:-
SQL injection is a code injection technique that exploits the security vulnerability in a website’s software. An SQL injection is often used to attack the security of a website by inputting SQL statements in a web form to get a poorly designed website to perform operations on the database (often to dump the database content to the attacker) other than the usual operations as intended by the designer.
The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not ‘strongly typed’ and unexpectedly executed. SQL commands are thus injected from the web form into the database of an application (like queries) to change the database content or dump the database information to the attacker.
Example1: The application uses untrusted data in the following vulnerable e login authentication where special characters ‘;/* switch the interpreter from data entry mode to injecting and executing the code ‘OR 1=1’ which is always true and therefore treated as a valid username:
|Username or Email||Srinivasalu|
SELECT * FROM ‘users’ WHERE ‘username’ = ‘Srinivasulu’ AND ‘password’ = ‘Mypassword’
|Username or Email||‘ OR 1 = 1;/*|
SELECT * FROM ‘users’ WHERE ‘username’ = ‘ ’ OR 1 = 1 ; /; AND `password` = ‘*/–‘
Example 2: The application uses untrusted data in the construction of the following vulnerable SQL call:
String query = “SELECT * FROM accounts WHERE custID='” + request.get parameter(“id”) +”‘”;
The attacker modifies the ‘id’ parameter in their browser to send: ‘ or ‘1’=’1. This changes the meaning of the query to return all the records from the accounts database, instead of only the intended customers.