Introduction
There is an important method of testing where the use of the customer will be duplicated or it is testing us a customer itself. In the development cycle during the quality assurance phase a test plan is formulated by documenting the test cases for these tests. This is to ensure that the common needs of the customer are not missed during development phase. It will also make sure that the above needs will never miss the testing phase also. Quality assurance teams should understand the security issue or defects are not only the responsibility of the software developer or the tester alone. That is there responsibility also.
QA Engineers never understand the inner scope of specific software but they will go deep into the testing community to see what level is the penetration to the code by software testers. QA will have the advantage of getting the internal documents later they can aid a test engineer to test the application.
It is all an important thing to document all the attack that an attacker can perform against the application and it should be incorporated into standard test plan.
Preparation
Before preparing the test cases it is important to know the scope of testing. I have divided the scope into three sections.
1) Identifying the inputs
a. The needed Files
b. The environmental variables
c. Various configuration parameters.
d. External configuration files
e. The “Regedit” configuration
f. Any database
g. Hidden commands
h. Any other input which is required should be asked to the developing team.
All the possible ways from a input come should be identified. Basic requirement testing should be done along with security related tests. There should be some way to test Buffer overflow and format sting errors. If a huge amount of data is loaded into input of the application, application might produces errors, it may crashes or it may acts awkward. These are the sign of a buffer overflow. Application developer should able to find out the reason for the crash and it should be resolved. If a poorly formatted input will crash the application which will cause the product stability and security. There should be a various input for an application. Developer should inform the testing team how to use an input an when so that it should be checked for security of the application.
Installation
• Used by an installer
• Instruction which should during installations
• Using the necessary exe file or bat file.
Deployment
Deployment should be made in two domains or environments
a) Trusted Environment
b) Untrusted or third party environment.
During the installation and deployment time it should be taken care about the various files and registry setting that is needed for the installation and executions of the applications. Even temporary files which exist in the temp folder for not more than one second will allow access of the sensitive data on a user’s machine. There is a concept of user mask in Unix machines who take care about the file permission. During deployment the user mask is defined like that the system or application is fully opened to attack. So that every security breach can be find out. It should be ensured that there should be a permission for files, all the newly created databases and registry key during the deployment.
Different types of testing should be conducted to find the security breaches.
1) Functional testing.
a. The permission in a main file which should be as restrictive as possible. If the permission are loosely defined then it is a security issue with severity level 1.
b. The sensitive data should be encrypted by proper algorithm this one is also severity level 1 issue.
c. If a database is allowing permission which contain user data it is also severity level 1 issue
2) Logical tests
a. Authentication failure:- Not allowing a user to login properly which contains severity 2 level
b. If the login data is mismatched then not providing the necessary instructions is severity 3 level.
c. Any confirmation which is providing should contain any sensitive data.
d. Resetting the temporary password a prolong time.
There is an important method of testing where the use of the customer will be duplicated or it is testing us a customer itself. In the development cycle during the quality assurance phase a test plan is formulated by documenting the test cases for these tests. This is to ensure that the common needs of the customer are not missed during development phase. It will also make sure that the above needs will never miss the testing phase also. Quality assurance teams should understand the security issue or defects are not only the responsibility of the software developer or the tester alone. That is there responsibility also.
QA Engineers never understand the inner scope of specific software but they will go deep into the testing community to see what level is the penetration to the code by software testers. QA will have the advantage of getting the internal documents later they can aid a test engineer to test the application.
It is all an important thing to document all the attack that an attacker can perform against the application and it should be incorporated into standard test plan.
Preparation
Before preparing the test cases it is important to know the scope of testing. I have divided the scope into three sections.
1) Identifying the inputs
a. The needed Files
b. The environmental variables
c. Various configuration parameters.
d. External configuration files
e. The “Regedit” configuration
f. Any database
g. Hidden commands
h. Any other input which is required should be asked to the developing team.
All the possible ways from a input come should be identified. Basic requirement testing should be done along with security related tests. There should be some way to test Buffer overflow and format sting errors. If a huge amount of data is loaded into input of the application, application might produces errors, it may crashes or it may acts awkward. These are the sign of a buffer overflow. Application developer should able to find out the reason for the crash and it should be resolved. If a poorly formatted input will crash the application which will cause the product stability and security. There should be a various input for an application. Developer should inform the testing team how to use an input an when so that it should be checked for security of the application.
Installation
• Used by an installer
• Instruction which should during installations
• Using the necessary exe file or bat file.
Deployment
Deployment should be made in two domains or environments
a) Trusted Environment
b) Untrusted or third party environment.
During the installation and deployment time it should be taken care about the various files and registry setting that is needed for the installation and executions of the applications. Even temporary files which exist in the temp folder for not more than one second will allow access of the sensitive data on a user’s machine. There is a concept of user mask in Unix machines who take care about the file permission. During deployment the user mask is defined like that the system or application is fully opened to attack. So that every security breach can be find out. It should be ensured that there should be a permission for files, all the newly created databases and registry key during the deployment.
Different types of testing should be conducted to find the security breaches.
1) Functional testing.
a. The permission in a main file which should be as restrictive as possible. If the permission are loosely defined then it is a security issue with severity level 1.
b. The sensitive data should be encrypted by proper algorithm this one is also severity level 1 issue.
c. If a database is allowing permission which contain user data it is also severity level 1 issue
2) Logical tests
a. Authentication failure:- Not allowing a user to login properly which contains severity 2 level
b. If the login data is mismatched then not providing the necessary instructions is severity 3 level.
c. Any confirmation which is providing should contain any sensitive data.
d. Resetting the temporary password a prolong time.
No comments:
Post a Comment