| Security Testing for Web Applications |
|
Security is a very critical aspect of Web Applications, keeping in mind the alarming rise in cyber crimes and
intrusion attempts by malicious users. The financial losses and legal consequences that organizations can face due
to security incidents are immense.
This paper addresses some of the common maladies faced by QA Personnel and Customers from a Security
Perspective. It describes the common Security vulnerabilities in applications with examples and techniques for
testing the application for those vulnerabilities. Modelling techniques are discussed that help in identifying
vulnerabilities and evaluate the Security Risks for an application. The paper suggests Processes, Framework, and
Tools to help in providing highly effective and low cost Security Testing Solutions (specifically Penetration
Testing) for Web Applications. Embedded in the paper are Traceability Templates, a Test Plan Template, a
Checklist and a Process flow for Security Testing.
The objective is to enable detection of Security loopholes in applications at an early stage, to help in protecting
applications and data from malicious users and to ensure information availability and integrity. Current trends in
the IT Security Industry and budgeting guidelines are discussed, which will help organizations in making
budgeting decisions for Application Security. Security breaches are discussed with impact and examples. |
| |
1. Introduction |
Businesses today are under increasing pressure to be more accountable: accountable to investors, accountable to government, and accountable to the market (customers). Business accountability now includes security – specifically, software security Industry exp erts estimate that 70% of intrusion attempts are made at the application level. Reactive approaches such as patching are becoming increasingly ineffective with the growth of zero-day attacks (attacks that take advantage of software vulnerabilities for which there are no fixes) and the shrinking half-life of vulnerabilities
(the time between when a vulnerability is released and when it is exploited). |
| |
The costs of application security are significant – and escalating. The U.S. Department of Commerce’s National Institute of Standards and Technology reports that software flaws each year cost the U.S. economy $59.6 billion, including the cost of attacks on flawed code. The report also confirmed that remediation of software security problems after the occurrence of security incidents is expensive and time -consuming – as much as six times the cost of fixing them during the coding/testing stage.
Web Applications – Attacks on Port 80: Web Applications are being increasingly used today by organizations
to conduct business online. Many of these applications utilize HTTP through Port 80 and expose the organization
to security threats from crafted requests, hostile mobile code, and inappropriate web content.
Port 80 is used by all HTTP traffic and therefore always has to be left open. An attacker can pass a specifically
crafted — but legitimate — HTTP message through the firewall to a Web server, exposing its vulnerabilities.
Attacks buried in these messages sail past firewalls, filters, platform hardening, SSL, and IDS without notice
because they are inside legal HTTP requests. The HTTP message can then exploit one or more of these
vulnerabilities and cause a chain of events that ultimately allows the intruder to obtain privileged access to the
Web server machine.
The vast majority of attacks, nearly 80 percent, are launched on port 80, the same port that Web traffic flows on.
This poses a particular problem because curtailing access to port 80 would also negatively affect productivity and
access to Web traffic. |
| |
2. The Scenario - Current Trends and Security Breaches |
| |
2.1 Current Trends in IT Security Industry |
The Computer Security Institute (CSI) conducts the “Computer Crime and Security Survey “regularly. The survey covers the top 500 US Corporations, government agencies, financial institutions, medical institutions and
universities. The following are some of the highlights of a recent survey by CSI: - |
 |
Budget Allocation - Up to 5% of IT Budget spent for IT Security |
|
An increased investment in IT Security resulting in decreased Financial Losses |
|
Losses of $142 Million reported amongst 480 top US Companies due to Cyber Attacks |
|
Insurance - More Organizations (currently 30%) opting for Cyber Security Insurance |
|
Audits & Training - More Organizations (currently 80%) conducting Security Audits and Security
Awareness Training |
There is likely to be an increase in investments on IT Security initiatives, with many legal laws and acts coming
into picture. Especially, the Sarbanes-Oxley Act (SOX), currently drawing much limelight, requires stringent
Security Controls to be implemented on Applications dealing with financial data. Also, ensuring compliance with
Security Standards such as BS7799 require significant investment in IT Security. |
| |
2.2 Security Breaches |
A security breach of an application is the violation of security controls built in the application in order to gain unauthorized access to application resources. |
| |
Examples of Security Breaches: - |
|
Employee tampering with Payroll Data |
|
Airlines tricked into selling air travel tickets for a few dollars |
|
Exposure of Online Customers' credit card details |
|
Manipulation of Corporate Company's invoice/billing data |
|
Websites defaced with controversial content |
| |
|
Impact of Security Breaches: - |
IT Staff – Wastage of Manpower: This happens due to additional efforts of IT Staff for fixing/patching up the security flaws and for tracking down culprits. |
Non-availability of information: This happens when business critical information is tampered with or made inaccessible by attacking and crashing the application servers. |
Legal Consequences: Many cyber security laws/acts make it mandatory for companies to protect their customers’ confidential data. These laws hold the company accountable for any security breaches. |
Increases in insurance premiums: With more IT companies opting for Cyber Security Insurance, repeated security breaches and losses could result in Insurance companies charging more premiums from organizations. |
Loss of Public Image: Reported security breaches leads to negative publicity and loss of reputation. |
Loss of Customer Trust: A large number of customer relationships are based on assurances of confidentiality
of Customer Data. Such relations get affected when there is a breach in data confidentiality. |
Competitor’s access to information: Any confidential or proprietary information falling into the hands of competitors could place them in an advantageous position and give them the edge. |
| |
To read the complete article please click here
|
