Monday, 12 September 2016

Best practices for Security Testing of Web Applications



The Internet has today digitally connected the world and has made distances redundant. The web has spawned numerous opportunities for business entities to operate seamlessly with online transactions becoming the order of the day. There is a burst of Business Applications on the web, which has raised concerns regarding their security. Any information leak from these applications can lead to loss of sensitive data and impair individuals as well as organizations. Effective Web Application Testing is a solution to mitigate such risks. 



Security Testing implies testing web based applications to check vulnerabilities that could lead to any unauthorised access. This also means confidential data remains confidential and specific areas accessed by users is supported. For example, a data entry operator in an airlines reservation terminal should not get access to crucial reports pertaining to the airlines. Besides, a user should not deny access to other users or change the functionality of an application. Therefore, during Security Testing if the tester identifies any loophole that could be used wrongly, the same should be addressed.   

Web Application Security Testing identifies a number of techniques to address security breaches. The right approach is to use the entire spectrum of testing methodologies as shown below.

1) Adherence to user specific access: Any software system should have user specific areas where only the concerned user should get authorised access. Also, the areas that lay beyond the remit of a specified user should not in any way be accessed by the same user. To elucidate the same let us discuss an example: A data entry operator in an airlines reservation system should be able to enter passengers’ details only and in no way should be privy to forms, reports and database concerning the airlines per se. Such user specific access strengthens the security of a system. 

To check compliance, the tester should create multiple user access points and check if any user specific area is accessible to ‘others.’ In the event of non-compliance, the tester should log the issue and put correctives. 

2) Breaking passwords: User Ids and passwords are frequently used to log into a secured system. The use of password authenticates and authorises a user to access the application. The passwords are usually encrypted, but can be guessed by an intruder. The application should ensure that robust passwords are used by incorporating a combination of alphabets, numerals and special characters. Web Application Testing should also include password cracker programs. Moreover, the tester should see if ‘unencrypted’ passwords or usernames are stored in cookies – a real security issue. 

3) Check the URLs: Hackers generally use the HTTP GET protocol of a web application to source vital information by altering the parameters in a query string. The tester should use the technique to find out if the application accepts such a query, and should that happen, the gaps should be addressed to deter intruders. 

4) SQL Queries: Vital information can be stolen by hackers from servers by posting SQL queries through user input fields. Hence, the tester should ensure that the input field length is predefined. For example, a surname field should be a maximum of 25 characters instead of 150. Importantly, the input field should not allow special characters like single quotation mark (‘) or script redirects. 

5) Cross Site Scripting (CSS or XSS): This method involves stealing vital data from cookies by injecting HTML or JAVASCRIPT codes into the application. The tester, as part of the Web Application Security Testing process should ensure that the application does not accept such a script and the input field lengths remain well defined.
Posted by at 1 comment:
Labels: , , , , ,

Monday, 23 May 2016

Why in Penetration Testing required?



Penetration Testing or Pentesting is a legal software attack on a software system which is carried out in order to uncover potential security weaknesses eventually gaining access to the data and features. Penetration testing can be described, executed and marketed in a lot many ways. It is often confused as a vulnerability scan, security assessment or a compliance audit. However, penetration testing stands apart from all in the following ways:



-      A penetration test is not over after detecting vulnerabilities. It proceeds forward to the next step to exploit the vulnerability to establish the attack vectors against the company’s data and assets.

-      The focus of penetration testing is on the team or individual testers and the experience they bring into practice. This is because even the most sophisticated technologies are vulnerable to the free thinking human mind which can analyze and synthesize, is capable of thinking more laterally and is driven by an unfading motive and determination.

-      A penetration testing is designed to evaluate effectiveness of the implemented security controls against a skilled human attacker. An organization with a 100% compliance may still be vulnerable against a human threat in the real world.

-      A penetration testing explores multiple attack vectors against the same target. Most of the successful compromises are generally the combination of vulnerabilities and information across different systems. 

There are many reasons for conducting penetration testing. The nature and scope of penetration testing is mainly dependant on the driving force of the organization, which in turn determines the goals of testing. This driving force also influences the other factors such as scope, target selection, assumptions as well as the budget amount allocated for the test.

Considerations for the Penetration Testing

-      Scope: For the purpose of testing it is very important what is to be scoped in and what should be scoped out of the target environment. Before test initiation, IP address ranges, external URLs and application should be clearly defined. Additional scope considerations include the acceptable level of social engineering interactions, physical access of tangible resources, etc.  In order to focus efforts on high value assets, the defined scope should always be prioritized. Limiting the scope increases the effort  of testing in the most important areas of the organization. It is important to maintain a balance in scope definition. If it is too broad, efforts may go stray and if it is too narrow, the testers may not get enough flexibility to explore all possible paths of exploitation.

-      The testing approach: The testing approach can be white box or black box. There are pros and cons of both these testing approaches. In case of the white box testing, less time and money is required for the identification of the tests and more can be invested in the actual exploitation process. However, it runs a potential risk of underestimating inside attackers and leaves them one step closer to the internal environment. On the other hand, the black box approach provides a better real life perspective of the system from the attacker’s point of view. It forces the hacker to spend time and effort in obtaining internal unauthorized information. This provides a good intel for the organization about potential breaches and enables them to take protective steps.

-      Objectives: Establishing the goals and objectives of the test is very important along with the scope. It helps to produce a report addressing the goals. Any objective of priority should be explicitly addressed in the goals. However, it should be taken into account that not all goals can be achieved despite repeated attempts. This is a positive outcome as  this ensures that the security stands tall.

Conclusion

At the end, all that matters is the real-world security. The effectiveness of penetration testing mainly depends on the people trusted with the task. Hence, after a security incident or a security testing, it is necessary for the company to determine the vectors which helped to gain access to the compromised syste
Posted by at No comments:
Labels: , , , , , , ,
Location: 630 Freedom Business Center Dr, King of Prussia, PA 19406, USA

Tuesday, 8 March 2016

Implementing Continuous Security through DevOps



DevOps can be defined as a cultural change in work or a set of technology practices. It focuses on building a quality code, enabling automated testing based on a culture of continuous improvement eventually leading to improved stability and throughput and moving new features to customers quickly. Although DevOps is not a particular set of tools, but implementing DevOps practices leads to using certain tool sets.



-      The Version control systems track changes to the files and allow collaboration between teams. This leads to comparisons and merging of versions and rollbacks of issues. 

-      The Configuration management system automates new systems, enforces consistent application installation and configuration of system and application across different classes of servers. 

-      The ‘infrastructure as  code’ can be versioned and tested, ensuring that identical configurations are in place. This improves the odds that the software that was tested fine in the staging system will be fine in the production system as well. 

-      The automated system which helps to move through the build, deploy, test and release phase in the key component. 

Apart from the efficiency provided by DevOps, it can also create challenges in the implementation of security control infrastructures. Deployment through cloud reduces the control over the visibility of hardware and network layers. Further, it also complicates the tracking of hardware assets over time. DevOps blurs the limitations of the developers and operations and their duties are not well segregated.

Security teams need to be engaged early in the DevOps process in order to ensure continuous deployment. The following critical controls may be enforced in order to reduce potential security risks.

  1. Inventory of Authorized and Unauthorized Devices: In DevOps environment, the very idea of ‘devices’ and servers is obscured in layers of deployed containers and virtual machines. Hence, cloud provider portals and APIs can provide verification of automated inventory along with cloud assets as well.
  2. Inventory of Authorized and Unauthorized Software: The common practices of DevOps limit the servers to an approved list of the installed software. The configuration management tools can also be used to restrict to block software versions with known vulnerabilities.
  3. Secure configurations for Hardware and Software on Servers: Installing and running only the required softwares, keeping them updated and configured is one of the best ways minimizing attacks. Once the configurations for OS and applications are developed, DevOps greatly simplifies the process of syncing these configurations throughout the system.
  4. Continuous Assessment of vulnerability and Remediation: Keeping up with new vulnerabilities is a challenge. However, the DevOps environment provides a strong foundation for testing new patches. Deployment related security scans verify that all updates are addressed and reaches all intended targets.
  5. Security of Application Software: The DevOps automated deployment pipeline performs  the code review, static analysis and web application scanning before the new software is deployed in production. Further, security testing such as security related functionality, vulnerability scanning and application security scans can be run in parallel to acceptance testing within the staging environment.
  6. Controlled use of Administrative privileges: In a DevOps model, the code itself acts as a privileged user. Administrative privileges are used by configuration management that install new software, make configuration changes as per events and alerts. These credential secrets must only be used by orchestration systems and should not be made available to any unauthorized access.
As the DevOps movement matures,  security can no longer be considered as an afterthought, rather the best security practices need to be implemented into the DevOps evolution. Recently, there has been a considerable development of tools which help in securing DevOps environment. They range from repository firewalls, new application scanners, security functional test infrastructures to new SSH management solutions.

Conclusion

DevOps practices come with both advantages as well as disadvantages when Critical control based control infrastructure is implemented. The DevOps team needs to implement security early in the process to ensure a seamless deployment. The new security tools that is enforced for DevOps provides a new level of visibility and automation for security control implementations.
Posted by at No comments:
Labels: , , , , , , , , ,
Location: 630 Freedom Business Center Dr, King of Prussia, PA 19406, USA

Tuesday, 1 March 2016

12 considerations for Cloud Security



A cloud refers to an IT environment which has been designed for remote access of IT resources. The term Cloud originated as a metaphor of the Internet which is a network of networks providing access to a remote set of decentralized IT resources. A cloud is accessible through the Internet and there are many different clouds that are accessible through the Internet.



Cloud computing provides several benefits for organizations and users. They are as follows:

-      Almost any type of computing resources can be provisioned on demand.
-      Organizations can scale up and scale down the used resource as per requirement.
-      Users are required only to pay for what resources and workloads have been used.

Whether using any type of cloud service provider, Cloud Security is very essential to assess the security of your operating systems and applications running on cloud. To ensure the ongoing security in the cloud requires a highly equipped cloud instances with defensive security controls to assess the ability and withstand to the latest data breach threats.  

Here are the following points can help secure a cloud based deployment.

1. Understand your shared responsibility: While the cloud security provides a greater part of the virtualization and physical infrastructure, the rest of the responsibility for the infrastructure falls on the organization users. Depending on the services used, it is the user’s responsibility to enforce Application Security, Policies, Configuration etc.

2. Network Protection: Use in depth defense and secured services like
- Virtual private Networks(VPN)
- Routing Rules
- Network ACLs
- Proxy Servers: Nginx
- Stateful Firewalls
- Network Address Translation(NAT)
- Application: modsecurity
                                          i.    Host: iptables
                                         ii.    Network : pfSense

3. Protection of the Cloud Machine Images
- Harden machine images
- Change default passwords
- Disable insecure ports and services
- Install the AV Software
- Use a baseline (STIGs) – System specific checklist
- Learn Security Content Automation Protocol(SCAP): which provides multiple tools for assisting administrators and auditors by enforcing security baselines.

4. Protection of Data at Rest: Data at rest refers to the inactive data stored digitally. For protecting such data
- Understand the different mechanisms of cloud storage and their security implications.
- Review the options of encryption primitives.
- Consider Secure Archival and data disposal
- Tools: Luks, dm-crypt, Gnu-Shred 

5.  Protection of Data in transit: Data in transit refers to that which in flowing through a public or a private network.
- Always use secure application protocols like the TLS (Transport Layer -Security), SSH(Secure Shell), RDP(Remote Desktop Protocol).
- When the application does not secure protocols for communication, securely Tunnel traffic – IPSEC, SSL VPN, SSH.
- Consider using a Key Management System.
- Tools: OpenVPN, OpenSwan.

           6.  Protection and Patching of Instances
- Use a Configuration Management System to patch all the cloud based instances.
-  for Zero Days and classify risks.
- Tools: OpenVAS

7.  Protection of Instance Access:
- Manage your access to cloud instances by using a directory service.
- Create Individual User Accounts(IAM)
- Based on business needs, grant least privileges.
- Enable MFA(Multi Factor Auth) for the privileged Users.
- Audit all the User activities.
- Refrain from using Root Cloud Accounts.

8.   Application protection
- Get AAA(Authentication, Authorization and Auditing) implemented.
- Understand the OWASP Top 10 Security Flaws.
- Follow the best practices for Secure Development
- Tools: Jenkins, PMD, FindBugs

9.    Auditing and monitoring the cloud
- Gather the monitoring data in a separate secure network.
- Establish baselines and monitor all layers and protocols.
- Deploy IDS(Intrusion Detection System) behind the Network Firewall.
- Fine tune the alert levels and use redundant channels for alerting.
- Tools: Nagios, ELK Stack, Watcher, Snort.

10.   Validate protection
- Periodically test the Network, Applications and Infrastructure for security vulnerabilities.
- Check for Input validation, Session Manipulation, Authentication and leakage of information.
- Wherever possible use 3rd party tools.
- Tools: Metaspliot, Kali Linux, OpenVAS.

11.   Automation: Automated provisioning helps in documentation, Disaster Recovery and Planning and change management.
- Make use of a configuration management system like Chef/Puppet  to manage configuration centrally.
-Consider infrastructure as Code.
- Implement Continuous Integration and Continuous Delivery.
- Tools: Docker, Ansible and Chef.

12.   Update security policy
- Define the scope and boundaries of security.
- Implement proper Risk Assessment Methodology, Identification and -Addressing Methodology.
- Align policies with the contractual obligations of the cloud provider.
- Make use of the Compliance Management Tools: OpenFISMA, PTA, SOMAP, GLPI.

Conclusion 

There are some things that are easier and some things that harder in the Cloud. The steps listed above will however get you started on your improvement cycle for continuous security. Before you get stared and implement a cloud application on  grounds of time and cost, it is very essential to understand about the data and security breach threats. 

Whenever an organization is moving to new application or positioning it, it will either drive the sales up or drive down your operational costs or do the both. By making well-informed choices, cloud computing can offer business value, choice and litheness to you which will be the most undoubted reasons for implementing a new application on cloud.
For more details on Cloud security, Please visit: http://www.gallop.net/cloud-application-security-testing
Posted by at 1 comment:
Subscribe to: Posts (Atom)