Send the link below via email or IMCopy
Present to your audienceStart remote presentation
- Invited audience members will follow you as you navigate and present
- People invited to a presentation do not need a Prezi account
- This link expires 10 minutes after you close the presentation
- A maximum of 30 users can follow your presentation
- Learn more about this feature in our knowledge base article
Transcript of Security Testing
1. Session Fixation
2. Open redirection vulnerabilities
3. Test Session Termination Showing by example the security testing of the login page of internet bank of Nationwide Building Society. Because there are many kinds of threats to Online applications Introduction Security testing is a testing methodology to check whether there is any information leakage in the sense by encrypting the application or using wide range of software’s and hardware's and firewall etc. to make the system more secure.Our goal here is to summarize criteria and ideas that may be useful for the creation of a compliance testing approach for the security of online banking systems at the user's side Knowing about the threats Security Testing Approaches Functional Testing Risk Based testing Security testing Standard testing teams using a conventional
approach can perform functional security testing.
For example, ensuring that access control mechanisms work as advertised is a classic functional testing exercise. On the other hand, traditional Quality Assurance staff will have more difficulty performing risk-based security testing. The problem is one of expertise. A tester who has complete knowledge of the system must be able to analyze the system from an attackers point of view. Hence, the bottom line is that risk-based security testing relies more on expertise and experience and a thought process of that of a hacker. Because security testing involves two approaches namely functional security testing and risk based security testing, so the question of who should do it has two answers. Foreseeable benefit of this are as follows:
1. Making a decision on the presence or absence of any risk on a customer’s computer and on a bank’s website. This results in providing customers with an understanding of how secure their bank's website is.
2. We propose an approach for security testing, which may help testers and all online bank users to acquire a good understanding of security testing and develop a general compliance testing system focusing on client side security.
3. This when passed on to the customers might result in confidence building in the bank that they operate with. Foreseeable Benefits observed after implementation Business Value to IBM
If this approach reaches NBS, this might be accepted as a value add in promoting the growth of any NBS web applications, and as part of IBM BAG (Base account growth) which result in generation of more revenue. Thank you !!!
Key milestone achieved
As part of Security Tool Analysis team has analyzed two candidate application for web security testing
1. IBM App Scan
2. IBM Rational Policy Tester.
Usage of this tool has been described in the forthcoming slides which may bring preliminary security testing business to MTS. IBM AppScan IBM Security AppScan delivers application vulnerability testing and management across the application lifecycle for web and mobile apps.
AppScan supports following security vulnerabilities:
Authentication bypass using SQL Injection
Blind SQL Injection
DOM Based Cross-site scripting
Predictable Login credential
Unencrypted login request Proposed Solution The IBM Security AppScan portfolio includes solutions for both security teams and development organizations to collectively address application security by identifying and remediating vulnerabilities early in the software development lifecycle, when they are easier and less expensive to correct. IBM research drives
IBM Security AppScan solutions to identify the latest threats with advanced security testing for application security analysts. With more than a decade of application security experience, IBM Security AppScan solutions deliver some of the most advanced testing features that combine expert analysis with ease of use.
AppScan Scan Report We can export the scan report to xml. IBM Rational Policy Tester What is Rational Policy Tester?
Rational Policy Tester (RPT) is IBM's strategic solution for Web content standards compliance validation.
IBM Rational Policy Tester Quality Edition software assesses and reports content quality issues that can create negative impressions of your online business and impede site usability. Reporting categories include
Content defects that directly affect visitor activities, such as broken links, spelling errors and broken anchors.
Interaction problems that visitors might encounter using forms or performing checkouts and other transactions.
Page efficiency analysis that highlight sluggish page loading, multiple warnings and redirects, and other usability issues.
Search and navigation analyzes that verify visitors will find what they need within three clicks which is the documented tolerance for typical users.
Custom reports that align with your organization’s internal quality standards.
IBM Rational Policy Tester Result Launching an extensible, Web-based, enterprise solution A centrally administered, Web-based solution, IBM Rational Policy Tester features a core scan engine that crawls through Web site content and applica¬tions, analyzes data, stores findings in a relational database and generates actionable reports that pinpoint issues uncovered during the scan.
IBM Rational Policy Tester supports multiple enterprise user roles and access permissions, and its issue management capabilities are designed to ease the prioritization of issues for immediate remediation. Also included are executive dashboards for tracking and distributing critical online metrics across the enterprise.
Uncovering oversights with IBM Rational Policy Tester Privacy Edition software Insecure data collection forms, missing privacy statements, pages populated with identifiable personal information and the presence of cookies are just some of the privacy issues that Web developers frequently overlook. IBM Rational Policy Tester Privacy Edition software highlights such issues across corporate Web properties.
Reports fall into several categories, which include data collection reports, privacy statement reports, visitor track-ing reports and privacy regulatory compliance related-reports.
1.Web server/Application server security
Following are some best practices to verify that this very important aspect of web applications is secure
•Validating input values only on the client side leaves a big security hole in a web application. Attackers can easily generate HTTP requests that bypass client side logic. But it is critical to validate all input values on the server side, to make sure any requests bypassing the client logic don’t make their way through the application logic.
• What does the application record about transactions? Are login, passwords? being written to log files in clear text Testing should include these checks
Best practices for Security Testing
application components 2.Database Security
In real life web applications, databases store very sensitive
Information, like user profiles, customer details etc, in addition to the application data. Following are some guidelines to testing database security of a web application.
•Instead of assigning access directly to the tables, providing access through user created views or stored procedures goes a long way in securing a database against attacks. This approach allows a user read-only.
•Locking down access control and using principle of least privilege are critical to secure a database against attacks. This can be done by creating roles in the database, and assigning users to one.
3.Useful tools for web application security testing
This section presents some useful tools that can be handy to testers for security testing of web applications efficiently. In addition to the tools discussed in detail here, this section also refers other available tools that belong to the same testing category.
3.Code Coverage tools.
4.Rational Test RealTime.
5.Password auditing tools.