OWASP Tutorials - Principles of Testing Project
There is no silver bullet, while it is tempting to think that a security scanner or application will provide many defenses against firewall attack or identify a multitude of problems, in reality, there is no silver bullet for the problem of unsafe software is.
Application safety evaluation software, while useful for finding the low-hanging fruit, is the first passive, usually in-depth evaluation, immature and ineffective or provides adequate test coverage.
Remember that security is a process and not a product.
Think Strategically, Not Tactically
In the past few years, security professionals have realized the decline of the patch-and-enter model, which was prevalent in information security during 1990.
The patch-and-enter model includes fixing a reported bug, but without proper investigation of the root cause.
This model is usually connected to the vulnerability window shown in the bottom shape.
The development of vulnerabilities in the general software used throughout the world has shown the ineffectiveness of this model. Please see for more information about the vulnerability window.
Deficiency studies have shown that reaction to attacks across the world over time, the specific window of vulnerability does not give enough time for the patch installation, because the time between exposed vulnerability and an automatic attack against it develops Being between being and release is decreasing.
There are many misconceptions in the patch-and-enter model Many users believe that patch interferes in normal operation and can break existing applications.
It is also wrong to assume that all users are aware of the newly released patches.
As a result, not all users of a product will apply patches, because either they think that patching can interfere with the way the software works, or because they lack the knowledge about the existence of patches.
To prevent security problems within an application, it is necessary to make security in the Software Development Life Cycle (SDLC).
Developers can build security in SDLC by developing standards, policies, and guidelines that fit and work within the development process.
Threat modeling and other techniques should be used to help provide proper resources to those parts of the system which are at the highest risk.
The SDLC is King
SDLC King's SDLC is a process that is well-known for developers. By integrating security at each stage of SDLC, this application allows for a holistic approach to security which already takes advantage of the processes within the organization. Know that there are different names
The phase can change depending on the SDLC model used by any organization, each conceptual phase of the Appetite SDLC will be used to develop the application (ie, defined, design, development, deployment, maintenance).
There are security considerations in each stage that should be part of the current process so that cost-effective and comprehensive security programs can be ensured.
There are several secure SDLC frameworks that provide both descriptive and proxy suggestions.
Regardless of the maturity of SDLC, whether a person takes descriptive or preliminary advice
process. Essentially, the preceptive advice shows how safe SDLs should work, and descriptive advice shows how it is used in the real world. Both have their own place.
For example, if you do not know where to start, a prescriptive framework can provide a menu of potential security controls that can be implemented within SDLC. Descriptive advice can then help in running the decision process which has worked well for other organizations.
Descriptive safe SDLCs include BSIMM-V; And the prescribed Secure SDLCs OWASP's Open Software Assurance Matchability Model (OpenSAMM) and ISO / IEC 27034 Parts 1-8, some of which are still in development.
Test Early and Test Often
when a bug is quickly detected within SDLC, then it can be addressed at a fast and low cost. A security bug is no different than a functional
Or a performance-based bug in this regard. An important step to making this possible is to develop and educate the QA teams about common safety issues and ways to detect and prevent them.
Although new libraries, tools, or languages can help in designing a better program (with fewer security bugs), new threats are created continuously and developers should be aware of the dangers that the software they are developing They affect.
Education in the safety test also helps the developers get the right mindset to test the application from the attacker's perspective. It allows each organization to consider security issues as part of its current responsibilities.
Understand the scope of security
It is important to know how much security a given project will need. The information and assets to be protected should be given a classification that tells how to handle them (e.g., confidential, incognito, top-secret).
To meet any specific safety requirements, there should be a discussion with the Legal Council.
Requirements in the United States can be obtained from federal regulations, such as the Gram-Leach-Billy Act, or by state laws, such as the California SB-1338 For organizations located in EU countries, both country-specific regulation and EU instructions may apply.
For example, the instructions 96/46 / EC4 make the compulsory treatment of personal data in the application with proper care, whatever application it may be.
Develop the Right Mindset
Security vulnerabilities require an "outside the box" to successfully test an application.
Common use cases will test the general behavior of the application when the user uses it in a way that is expected. For good security testing, there is a need to go beyond the expectation that looks like an attacker and is trying to break the application.
Creative thinking can help determine that an application may fail unexpected data in an insecure manner.
It can also help to find out that concepts made by web developers are not always true and how they can be reversed.
One reason is that automated equipment actually gets spoiled for testing for vulnerabilities, that it should be done on a case-by-case basis because most web applications are being developed in a unique way. (Even if using normal settings).
Understand the Subject
The exact first document of the first major initiative in any good security program should be required.
Architecture, data-flow diagrams, use of cases, etc. should be written in formal documents and made available for review.
Technical specifications and application documents should include information that not only lists cases of desirable use but also prevents a particular used case.
Finally, it is good to have at least one basic security infrastructure that allows monitoring and trends of attacks against an organization's applications and networks (i.e., IDS systems).
Use the Right Tools
While we have already stated that the Silver Bullet Tool is not there, the instruments play an important role in the overall security program. Is an open-source and commercial tool that can automate many regular security tasks.
These tools can help security personnel simplify the security process by assisting them in their work.
However, it is important to understand what these tools can do and can not do so that they are not overloaded or used incorrectly.
The Devil is in the Details
It is important not to review the surface protection of an application and assume it is complete.
This will create an inaccurate feeling of self-confidence that can be dangerous as not having a security review in the first place.
It is important to carefully review these findings and eliminate any false positive effects that remain in the report.
Reporting an incorrect security search can often undermine the legitimate message of the rest of the security report.
It should be noted to verify that every possible section of application logic has been tested and that it was searched for potential weaknesses in every use case.
Use Source Code When Available
While the results of black-box penetration testing can prove to be effective and useful, how to highlight weaknesses in the production environment, they are not the most effective or efficient way to secure an application.
Testing the entire code base is difficult for dynamic testing, especially if many nested conditional statements are present.
If the source code is available for the application, then this security staff should be given to assist them while reviewing them.
It is possible to find weaknesses within the application source that will be remembered during a black box engagement.
Develop Metrics
An important part of a good safety program is the ability to determine whether things are getting better.
It is important to track the results of the test attachment and develop metrics that will reveal the application safety trends within the organization. A good matrix will show:
- If more education and training are required;
- If there is a special safety mechanism that is not clearly understood by the development team;
- If the number of security-related problems is decreasing every month.
The coherent metrics generated automatically from the available metric codes will also help the organization assess the effectiveness of the mechanism introduced to reduce security bugs in software development.
Metrics are not easily developed, so using the standard matrix provided by the OWASP Metrics Project and other organizations is a good starting point.
Document the Test Results
To end the test process, it is important to prepare a formal record of test actions, by whom, when they were performed, and the details of the test findings.
It is wise to agree on the acceptable format for the report which is useful for all related parties, which may include developers, project management, business owner, IT department, audit, and compliance.
The business owner should be clear to report that where physical risks are there and later enough to get their support for mitigation actions.
In order to solve the problem in the language, the developer should be clear to point out the pin that points to the exact function affected by the vulnerability and associated recommendations that the developer will understand. Another safety tester should also be allowed to reproduce the results in the report.
Writing the report should not be an excessive burden on the security examiner.
Safety examiners are generally not famous for their creative writing skills and can get examples from agreeing to a complex report where the results of the test are not monitored.
Using the security test report template can save time and it can be ensured that the results are accurate and consistently documented, and in a format that is suitable for the audience.
