Performing Security Testing for Mobile and Web Applications.

In today’s connected world, we rely more and more on web and mobile applications to store and retrieve important information, security of these applications needs to be ensured. Security testing identifies potential threats and vulnerabilities of the application system.

The different kinds of web and mobile security checking are as follows:

1. Vulnerability Assessment and Penetration Checking: Vulnerability assessment process discovers different weaknesses in the system that makes threats possible, but it does not categorize them as per their threat potential.  Penetration testing exploits these vulnerabilities and determines the severity of each. Both these tests together provide a detailed picture of the system’s flaws.
2. Security Scanning and auditing: This helps to identify the network and system problems.
3. Risk Assessment: This helps to identify potential hazards and its implications on occurrence. 
4. Ethical Hacking or white hat hacking is another process to expose the system loopholes. This hacking is unlike the malicious intentions and is carried out within the organization.
5. Command Injections: Here software hackers execute arbitrary commands into an input mechanism basically designed to pass user supplied data.
6. Data Security: There is always a threat to the confidential data being stolen. Portability of the device is an additional hazard in this case. Hence unlike web data security, for mobiles it is a different testing process. Mobile based data protection and data security help to identify potential data exfiltration threats.
7. Session Management: For web applications the authenticated state of a user is maintained through the use of cookies which may be HTTP cookies, Flash Cookies or Evercookie. In mobiles, apart from HTTP and browser connections, apps communicate with the back end servers as well. Hence, all cookie based authentications do not hold true for mobile users. With different mobile platforms in Andriod, ioS and Windows, this difference becomes more complicated for different configurations required for VPN.
8. Unauthorized access: In a web application, an administrator is able to authorize the access to users. In mobile applications this authorization is carried out in both  client side and server side. Also, when apps are installed they are required to be granted a range of user permissions which is not always a preferred choice.

Security Testing need to be carried out in parallel with System Development Life Cycle(SDLC), later implementations result in increased effort, time and cost. 

The testing phases associated with each phase of SDLC are as follows:

Development Phase	Testing
Requirement Specification	Security Analysis
Architecture Planning	Risk Analysis
Design	Security Test Plan
Coding	White Box Testing
Integration	Integration Testing Black Box Testing System Testing
Installation	Penetration Testing Vulnerability Scanning
Support	Impact Analysis

 Below are the mobile testing processes:

-      Preparation

-      Gather Intelligence

-      Threat Modelling

-      Vulnerability Analysis

-      Vulnerability Assessment

-      Develop Countermeasures

When we compare both, we observe that basic testing phases are the same for both, security testing of mobileapps extend a bit further than web applications due to:

-      Portability 

-      Always online and geographically traceable

-      Device Properties

-      More focus on app functionality than security

Conclusion:

In web applications, the security loopholes are associated with SQL injection, redirects and includes for remote files. Here, attackers take a black box approach. In mobile application hacking, more of a reverse engineering skills are put through as the attackers already have access to the codes. Overall Security Testing is most important testing for the success of web or mobile applications. Overlooking Security testing can become the major reason for performance pitfalls and failure of fascinating web and mobile applications. 

Ensuring Software Reliability via Software Security testing.

Security and Reliability are two qualitative concepts of the software that have grown into two different domains of research and analysis. We may consider a software to be reliable when is has been ensured security. We can say that software is reliable only when it is secure. Security testing checks the software vulnerability to external attacks. The main security concepts covered by security testing are confidentiality, integrity, authentication, authorization and non-repudiation.

Let us view some instances when software failures led to fierce consequences.

·         An incoming missile was identified as ‘friendly’ by a radar system. This led to the sinking of The British destroyer, Sheffield.

·         A small unnoticeable error eventually led to a loss of 28 lives when during Gulf War, a precision error of missing 0.000000095 second, in every one-tenth of a second, over 100 hours, led to the failure of the Patriot missile intercept the Scud missile.

·         Heartbleed, a bug affected web servers making user passwords vulnerable to theft.

·         Target announced a breach of its point of sale terminals.

A once perfectly working software may also show errors if the supporting environment changes. With processors and software pervading our world, reliability and security of software has now become a matter of life and death. Such statistics and considerations have focused our attention on the importance of software security testing for ensuring reliable interaction.

The Approach :

Software and software systems are deployed in almost every technical system in most of the domains like science, commerce and communication industries. These implementations can become reliable only when tested secure. As the innate qualities of any software is its security.  It is its ability to deal with the vulnerabilities of the system against external forces.  Software reliability is the ability of the software for a failure free operation in a specified period of time in a specified system, considering that all the other components of the system are fault free. Reliability of the software keeps changing with time along with bug detection and fixes, making software security testing a continuous process.

The cyber world has now become more and more vulnerable to attacks. Security testing must be carried out throughout the lifecycle of the project. Software developers work out distinct set of improvements for the software – one that increases reliability and the other that establishes security.  For software reliability, the bugs that hinder the error-free functioning of the system are fixed. This requires to be done both in the designing and the testing phase. Reliability of a system can be tested by releasing the beta version of the software.

For ensuring security, the developers look for flaws at the operating system level which may lead to possible breaches. These may be related to heap overflow, buffer over flow, bad code etc. The main Security testing issues are detection of intrusion, authorization, authentication, data integrity and confidentiality, patches, viruses and firewalls. Security Testing needs to be embedded into every phase of System Development Life Cycle from software requirements to its release.

Conclusion:

A risk based approach must be used to enable the software security completely. By creating tests based on risks, those areas of code can be easily identified where an attack can succeed. This assures a higher level of security which makes the software more reliable. Implementing continuous Software Security testing  can only ensure reliable software with changing trends of technology..