Security Testing in an Agile Development World
Security testing is a key component of software quality. A program may meet functionality and performance requirements, but that does not guarantee security. In this blog post I will present different security testing methods and provide a few tips for conducting a more secure code review. But first, let’s understand what software security is intended for.
The Goal of Software Security
Software security is intended to help the CIA. No, not the CIA you’re thinking of, but rather:
CIA - Confidentiality, Integrity and Availability.
According to NIST, this means -
- Confidentiality - preserving authorized restrictions on access and disclosure, including a means for protecting personal privacy and proprietary information;
- Integrity - guarding against improper information modification or destruction, and includes ensuring information nonrepudiation, accuracy, and authenticity.
- Availability - ensuring timely and reliable access to, and use of, information.
The Impact of Inadequate Software Security
Some of the consequences of lack of security include:
- Damaging the organization’s brand name
- Loss of customer trust
- Negative impact on sales
- Expensive vulnerability remediation cost
- Production impact
- Expenditures to recover from a website crash (reinstashing services, restoring backups, etc.) and downtime.
- Fees and legal repercussions
How to Achieve Software Security in the Software Development Lifecycle
A very effective way to achieve secure software is for its development life cycle processes to implement secure development , deployment, and maintenance principles and practices. In the testing process, this means making sure that systems are protected and can function as needed.
Security Testing Approaches & Techniques
Let’s look at three security testing types that cover the software development lifecycle from end to end.
1. Threat Modeling
A threat is a potential source that can exploit system vulnerability. Threat modeling is a constant iterative process of identifying and prioritizing these probable threats and documenting the actions that need to be taken in each case. As a result, Threat Modeling helps identify and investigate potential threats and vulnerabilities which assists in finding architecture risks earlier in the development lifecycle. Threat modeling allows the testing team to be involved in the whole application development process so as to identify critical bugs and make security decisions better.
The Threat Modelling Process
Let’s see how the Threat Modelling process works:
- Planning: Defining your application, data flow and assets involved.
- Identification: Classifying or identifying which type of threats the application is exposed to, like data manipulation or SQL injection.
- Mitigation: Identifying tools and technologies to prevent software from the above identified risks.
- Remediation: Validating software against the tool and capturing risks. It's a continuous process to identify risk. Tool needs to be run in every iteration of a certified development build.
Some examples of threat modeling tools include:
- OWASP Threat Dragon
- Microsoft Threat Modeling Tool
2. Penetration Testing
A penetration test, also known as a pen test, is a simulated cyber-attack against your software system to check for exploitable vulnerabilities. Penetration Testing targets the security weaknesses that enable attackers to gain access to the data. As a result, penetration testing helps in assessing the overall security posture and identifying vulnerabilities before the attackers do.
The Pen Test Process
Let’s see how the penetration testing process works:
- Define the scope: Determining the testing methods and the level of exploitation required when trying to find vulnerabilities.
- Exploration /Access Vulnerabilities: - Discover all possible vulnerabilities/intrusions.
- Penetration testing: Test all possible exploitations in order to discover new vulnerabilities. In this stage, the web application is attacked to uncover vulnerabilities and check if a bad actor is able to access the application and gain in depth access.
- Risk analysis and mitigation: All the vulnerabilities found during the test should be listed and recommendations should be provided for filling security gaps. Information on which sensitive data was accessed and the duration of attack should also be provided to patch solutions to prevent these attacks in later phases.
- Pen test report: A detailed report of the list of issues along with severities should be shared with the team so that severity 1 issues can be prioritized and fixed.
Types of Penetration Testing:
- Network Service Tests: Evaluating the network system and the services provided for probable security issues. Issues could be on servers, routers, switches, DNS, IP’s etc.
- Web Application Tests: Testing all functionalities and interfaces with all sets of data in web applications.
- Client Side Tests: Various actions performed in client-side application programs like email clients, web browsers etc. to exploit vulnerabilities.
- Wireless Network Tests: Exploration, identification of wireless networks, vulnerability examination, exploitation, test report, and remediation.
- Social Engineering Tests: Emphasizes people and processes and the vulnerabilities associated with them. This type of test consists of an ethical hacker directing attacks such as phishing, or impersonating a person during the course of their work.
Some examples of Penetration Testing tools include:
3. Code Reviews
Code reviews can improve software security by removing common vulnerabilities such as memory leaks, format string exploits and buffer overflows. As a result, code reviews help developers find and fix software vulnerabilities in the development cycle itself. This makes the mitigation process less expensive than correcting code after deployment to production.
Application security code review focuses on high risk parts of code. Vital actions in this process include leveraging threat/vulnerability assessment to identify which part of the code should be manually reviewed and where Static Application Security Testing (SAST) tools need to analyze source code to identify probable security flaws in the application.
Code reviews can be either automated or manual, and should address issues like security risks from open source tools, business logic and QA test layering.
Security Code Review Best Practices:
- Sensitive data that is used in the codebase should always be encrypted.
- Ensure unit tests have a combination of input data validation so that attacks like Injection, and Cross-Site Scripting can be prevented.
- Ensure there are no memory flaws in the code and safe memory practices are followed. This helps avoid SQL injection and OS command injection.
- Avoid any indirect object reference with files or path traversal method.
- Collaborate and share your knowledge with the team about bugs and security issues identified in earlier stages so they can be addressed and avoided.
Some examples of Code Review tools include:-
- Review Board
By incorporating security testing practices into your software development lifecycle, you can help minimize the attack surface. For more information, reach out to your CISO, or IT and security team.