Topic: Testing for Securability

Message

   Testing for Securability

Security testing is about validating your application's security
services and identifying potential security flaws. This section
contains important testing recommendations for verifying that you have
created a securable application.

Since attackers have no standard method of breaking into things,
there are no standard methods of conducting security testing. Also,
there are few tools available at this time to test security aspects
thoroughly. Since a functional bug in an application can also represent
a potential security flaw, you need to conduct functional testing prior
to conducting security testing.

It is important to note that security testing will not prove
conclusively that an application is secure. Instead, it serves only to
validate the effectiveness of instituted countermeasures, which were
chosen based upon presumptions that were made during the threat
analysis phase.

Provided below are some suggestions for testing the securability of your application.

Test for Buffer Overflows

One of the first security bugs exploited in computer history was a
buffer overflow. Buffer overflows continue to be one of the most
dangerous and most commonly occurring weaknesses. Attempts to exploit
this type of vulnerability can result in problems ranging from crashing
the application to an attacker inserting and executing malignant code
in the application process.

When writing data to buffers, it is imperative that developers not
write more to the buffer than it can possibly hold. If the amount of
data being written exceeds the buffer space that has been allocated, a
buffer overflow occurs. When a buffer overflow occurs, data is written
into parts of memory that may be allocated for other purposes. A
worst-case scenario is when the buffer overflow contains malicious code
that is then executed. Buffer overflows account for a large percentage
of security vulnerabilities.

Conduct source code security reviews

Depending upon the sensitivity of the application in question, it
might be prudent to conduct a security audit of the application source
code. A source code audit should not be confused with a code review.
The purpose of a standard code review is to identify general code
defects that affect the functionality of the code. The purpose of a
source code security review is to identify security flaws, intentional
or otherwise. Such a review would be especially warranted when
developing applications that handle financial transactions or provide
for public safety.

Validate contingency plans

There will always be a potential that an application's security
defenses can be breached and it is only prudent that contingency plans
are in place and validated. What steps will be taken if a virus is
detected on your application server or in your data center? When
security is thwarted, reactions must occur rapidly to prevent further
damage. Find out if your contingency plans will work before they must
be battle-tested.

Attack your application

Testers are accustomed to tormenting applications in an attempt to
make them fail. Hacking your own application is a similar, but more
focused, process. When attempting to attack your application, you
should be looking for exploitable flaws that represent a weak spot in
your application's defenses.
_________________

Author	Message
tanu Newbie Joined: 03Apr2007 Online Status: Offline Posts: 15	Topic: Testing for Securability Posted: 03Apr2007 at 11:36pm
	Testing for Securability Security testing is about validating your application's security services and identifying potential security flaws. This section contains important testing recommendations for verifying that you have created a securable application. Since attackers have no standard method of breaking into things, there are no standard methods of conducting security testing. Also, there are few tools available at this time to test security aspects thoroughly. Since a functional bug in an application can also represent a potential security flaw, you need to conduct functional testing prior to conducting security testing. It is important to note that security testing will not prove conclusively that an application is secure. Instead, it serves only to validate the effectiveness of instituted countermeasures, which were chosen based upon presumptions that were made during the threat analysis phase. Provided below are some suggestions for testing the securability of your application. Test for Buffer Overflows One of the first security bugs exploited in computer history was a buffer overflow. Buffer overflows continue to be one of the most dangerous and most commonly occurring weaknesses. Attempts to exploit this type of vulnerability can result in problems ranging from crashing the application to an attacker inserting and executing malignant code in the application process. When writing data to buffers, it is imperative that developers not write more to the buffer than it can possibly hold. If the amount of data being written exceeds the buffer space that has been allocated, a buffer overflow occurs. When a buffer overflow occurs, data is written into parts of memory that may be allocated for other purposes. A worst-case scenario is when the buffer overflow contains malicious code that is then executed. Buffer overflows account for a large percentage of security vulnerabilities. Conduct source code security reviews Depending upon the sensitivity of the application in question, it might be prudent to conduct a security audit of the application source code. A source code audit should not be confused with a code review. The purpose of a standard code review is to identify general code defects that affect the functionality of the code. The purpose of a source code security review is to identify security flaws, intentional or otherwise. Such a review would be especially warranted when developing applications that handle financial transactions or provide for public safety. Validate contingency plans There will always be a potential that an application's security defenses can be breached and it is only prudent that contingency plans are in place and validated. What steps will be taken if a virus is detected on your application server or in your data center? When security is thwarted, reactions must occur rapidly to prevent further damage. Find out if your contingency plans will work before they must be battle-tested. Attack your application Testers are accustomed to tormenting applications in an attempt to make them fail. Hacking your own application is a similar, but more focused, process. When attempting to attack your application, you should be looking for exploitable flaws that represent a weak spot in your application's defenses. _________________ Post Resume: Click here to Upload your Resume & Apply for Jobs

	IP Logged


One Stop Testing Forum : Types Of Software Testing @ OneStopTesting : Manual Testing @ OneStopTesting