Friday, September 20, 2019
Significance of Security Testing
Significance of Security Testing Premalatha Sampath Abstract Software security testing is an essential means which helps to assure that the software is trustworthy and secure. It is an idea which has been brought from engineering software to check whether it keeps on working properly under malicious outbreaks. Software security testing process is lengthy, complex and costly. It is because several types of bugs are escaped in testing on a routine basis. The application might perform some additional, unspecified task in the process while effectively behaving as indicated by the requirements. Thus, to build secure software as well as meet budget and time constraints it is essential to emphasis testing effort in areas that have a larger number of security vulnerabilities. Therefore, vulnerabilities are classified and various taxonomies have been created by computer security researchers. Along with the taxonomies, there are also various methods and techniques which helps to test the commonly appearing test issues in software. These techniques gener ally include generic tools, fuzzing, checklists of unpredictable depth and quality, vulnerability scanners, hacking or hiring hackers etc. This study focuses on the introduction, importance, vulnerabilities, approaches and methods of security testing. Articles related to these components were chosen. They were then evaluated on the basis of security testing approaches. Furthermore, the study explores the flaws and vulnerabilities of security testing and figures out the importance of security testing. Moreover, the research also highlights various methods and techniques of security testing. In the end, compiling all the articles research questions like what is the importance of security testing and what are the approaches to security testing are answered. Introduction Security is one of the many aspects of software quality. Software turns out to be more complicated, with the wide utilization of computer which likewise increase software security problems. Software security is the ability of software to provide required function when it is attacked as defined by the authors (Tian-yang, Yin-sheng You-yuan, 2010). There are few common types of security testing such as vulnerability assessments, penetration tests, runtime testing and code review. New vulnerabilities are being discovered with the coming of internet age. They are existing because of many reasons: poor development practices, ignoring security policies during design, incorrect configurations, improper initialization, inadequate testing due to deadlines imposed by financial and marketing needs etc. (Preuveneers, Berbers Bhatti, 2008). The significance of security in the life cycle from network security, to system security and application security is currently recognized by the companies and organizations asa coordinated end-to-end procedure stated by (Felderer, Bà ¼chler, Johns, Brucker, Breu Pretschner, 2016). Therefore, in systems to discover which types of vulnerabilities are dominant, security vulnerabilities are categorized so as to focus the type of testing that would be needed to find them. On the basis of these classifications, various taxonomies are developed by computer security researchers. According to the author (AL-Ghamdi, 2013), at the requirements level security should be explicit and must cover both overt functional security and emergent individualities. One great approach to cover that is using abuse cases which portrays the systems behaviors under attack. Two strategies that must be incorporated by security testing are : testing security functionality using standard functional testing techniques and risk based security testing based on attack patterns and threat models. There are normally two categories of vulnerabilities: bugs at the execution level and flaws at the design level (Tondel, Jaatun Meland, 2008). The research done in this article evaluates the security testing approaches and the methods in order to detect the flaws and vulnerabilities of security in the software. All this approaches and methods of security testing will help to make the software more secure, flawless and bug-free. Thus, the goal of this study is to find out the significance of security testing in todays fastest growing internet age and to introduce developers with an esteemed importance of systems security. The literature review is divided into 4 sections. The first section gives the overview of security testing. The next sections answer the research questions like what is the importance of security testing and what are the various approaches to security testing. Literature Review Importance of Security Testing In contrast with simple software testing process, providing security to a system is exceptionally unpredictable. This is because simple software testing only shows the presence of errors but fails to show the absence of certain types of errors which is ultimately achieved by security testing. As per the author (Khatri, 2014), there are two essential things which should be checked by the system: First, validity of implemented security measures. Second, systems behavior when it is attacked by attackers. The loopholes or vulnerabilities in system may cause failure of security functions of system eventually leading to great losses to organization. So, it is extremely fundamental to incorporate testing approaches for data protection. Security Vulnerabilities There are certain types of errors which are termed as security vulnerabilities, flaws or exploits. The authors (Tian-yang, Yin-sheng You-yuan, 2010) states that there are certain flaws present in system design, implementation, operation, management which are referred as vulnerabilities. As per (Tà ¼rpe, 2008), in order to target testing it is important to understand the roots of vulnerabilities and these vulnerabilities vary from system to system. These exploits are broadly categorized on their similarities by (Preuveneers, Berbers Bhatti, 2008) as follows: Environment variables: Information that does not change across executions of a program is encapsulated by such variables. Buffer Overflows: A memory stack is overflowed which leads the program to execute the data after the last address in the stack, generally an attacker gets the full control of the system when an executable program builds a root or command line shell. Operational Misuse: Operating a system in a non-secure mode. Data as Instructions or Script Injections: due to improper input checking, scripting languages include information with executable code which is then executed by the system. Default Settings: If default software settings require user intervention to secure them they may encounter a risk. Programmer Backdoors: The developers of the software leave the unauthorized access paths for easy access. Numeric Overflows:Giving a lesser or greater value than estimated. Race Conditions:Sending a string of data before another is executed. Network Exposures: It is assumed that when messages are sent to a server adequately, clients will check that. Information Exposure: Sensitive information is exposed to unauthorized users which can be used to compromise data or systems. Possible Attacks According to the authors (Preuveneers, Berbers Bhatti, 2008), (Felderer, Bà ¼chler, Johns, Brucker, Breu Pretschner, 2016) and (AL-Ghamdi, 2013), secure software should achieve security requirements such as reliability, resiliency, and recoverability. Then they describe various possible attacks such as: Information Disclosure Attacks: To disclose sensitive or useful data, applications can often be forced. Attacks in this class include directory indexing attacks, path traversal attacks and determination of whether the application resources are allocated from a conventional and accessible location. System Dependency Attacks: By observing the environment of use of the targeted application, vital system resources can be recognized. Attacks of this type include LDAP injection, OS commanding, SQL injection, SSI injection, format strings, large strings, command injection, escape characters, and special/problematic character sets. Authentication/Authorization Attacks: These attacks includes both dictionary attacks and common account/password strings and credentials, exploiting key materials in memory and at component boundaries , insufficient and poorly implemented protection and recovery of passwords. Logic/Implementation (business model) Attacks: For an attacker, the hardest attacks to apply are often the most gainful. These include checking for faulty process validation, broadcast temporary files for sensitive information, attempts to mall-treatment internal functionality to uncover secrets and cause insecure behavior and testing the applications ability to be remote-controlled. Approaches to Security Testing According to the author (Khatri, 2014), approach to security testing involves determining who should do it and what activities they should undertake. Who: This is because there are two approaches which security testing implicates 1) Functional security testing and 2) Risk-based security testing. Risk-based security testing gets challenging for traditional staff to perform because it is more for expertise and experience people. How: There are several testing methods however the issue with each method is the lack of it because most of organizations devote very little time in understanding the non-functional security risks instead it concentrates on features. The two approaches functional and risk-based are defined by the authors (Tà ¸ndel, Jaatun Jensen, 2008) as follows: Functional security testing: On the basis of requirements, this technique will determine whether security mechanisms, such as cryptography settings and access control are executed and configured or not. Adversarial security testing: This technique is based on risk-based security testing and determines whether the software contains vulnerabilities by pretending an attackers approach. Methods and Techniques of Security Testing by (Tian-yang, Yin-sheng You-yuan, 2010), (AL-Ghamdi, 2013) and (Felderer, Bà ¼chler, Johns, Brucker, Breu Pretschner, 2016). Formal security testing To build a mathematical model of the software and to provide software form specification supported by some formal specification language is the basic idea of formal method. Model-based security testing A model by the behavior and structure of software is constructed by model-based testing and then from this test model, test cases are derived. Fault injection based security testing This testing emphasizes on the interaction points of application and environment, including user input, file system, network interface, and environment variable. Fuzzy testing To discover security vulnerability which gets more and more attention, fuzzy testing is effective. To test program, it would inject random data and evaluate whether it can run normally under the clutter input. Vulnerability scanning testing To find software security risks, vulnerability testing is used which includes testing space scanning and known defects scanning. Property based testing By using program slicing technology, this method will extract the code relative to specific property and find infringement of the code against security property specification. White box-based security testing One of common white-box based testing method is static analysis which is great at finding security bug, such as buffer overflow. It includes main features like deducing, data flow analysis and constraint analysis. Risk-based security testing To find high-risk security vulnerabilities as early as possible, risk-based security testing combines the risk analysis, security testing with software development lifecycle. Discussion There are some type of security vulnerabilities which are more serious or are more common than others, therefore classification and rankings of vulnerabilities can be utilized to focus testing. Today, attacks such as Cross-Site Scripting and SQL injection are very common and new vulnerabilities are still being discovered. Basically, security testing can be divided into security vulnerability testing and security functional testing. To ensure whether software security functions are implemented correctly and consistent with security requirements, security functional testing is used. Whereas to discover security vulnerabilities as an attacker, security vulnerability testing is used. Risk-based security testing is useful when a complex system requires numerous tests for adequate coverage in limited time. Recommendation To build a secure system, security testing is used however it has been overlooked for a long time. Protection and security have been given prime significance in todays world, therefore in programming applications, it is highly recommended to look forward for information and operations security which demands critical consideration but it is rather ignored. There is still nothing like 100% security. The old way of doing things and traditional methods must change and new methods should be applied in practice if one wants to ship secure code with confidence. Conclusion The literature review was done taking 8 articles addressing the topic Significance of Security Testing. This report analyses the definition, classification, importance and approaches to software security testing. Classification of vulnerabilities and flaws were identified and what could be the reason behind occurrence of these vulnerabilities were discussed. The study also highlighted the various approaches like the functional and risk-based security testing and various methods in detail to tackle the flaws and errors detected in the system. These methods and techniques helps the system in various aspects like to advance the capability to produce protected and safe software, more cost-effective management of vulnerabilities and measure progress. Though, these approaches and classification makes software secure to a major extent but still security testing has a long way to go. References AL-Ghamdi, A. S. A. M. (2013, April). A Survey on Software Security Testing Techniques. Felderer, M., Bà ¼chler, M., Johns, M., Brucker, A. D., Breu, R., Pretschner, A. (2016). Chapter One-Security Testing: A Survey. Advances in Computers, 101, 1-51. Khatri, M. (2014). Motivation For Security Testing. Journal of Global Research in Computer Science, 5(6), 26-32. Preuveneers, D., Berbers, Y., Bhatti, G. (2008, December). Best practices for software security: An overview. In Multitopic Conference, 2008. INMIC 2008. IEEE International (pp. 169-173). IEEE. Tian-yang, G., Yin-Sheng, S., You-yuan, F. (2010). Research on software security testing. World Academy of science, engineering and Technology, 70, 647-651. Tà ¸ndel, I. A., Jaatun, M. G., Jensen, J. (2008, April). Learning from software security testing. In Software Testing Verification and Validation Workshop, 2008. ICSTW08. IEEE International Conference on (pp. 286-294). IEEE. Tondel, I. A., Jaatun, M. G., Meland, P. H. (2008). Security requirements for the rest of us: A survey. IEEE software, 25(1). Tà ¼rpe, S. (2008, April). Security testing: Turning practice into theory. In Software Testing Verification and Validation Workshop, 2008. ICSTW08. IEEE International Conference on (pp. 294-302). IEEE. Appendix A Articles Concepts Requirements for Security Testing Vulnerabilities (Exploits, bugs, flaws) Possible Attacks on Software Approaches Techniques or Methods Functional Risk-based Best Practices for Software Security: An Overview (Preuveneers, Berbers Bhatti, 2008) à ¯Ã à à ¯Ã à à ¯Ã à à ¯Ã à Motivation For Security Testing (Khatri, 2014) à ¯Ã à à ¯Ã à à ¯Ã à Security Testing: A Survey (Felderer, Bà ¼chler, Johns, Brucker, Breu Pretschner, 2016) à ¯Ã à à ¯Ã à à ¯Ã à A Survey on Software Security Testing Techniques (AL-Ghamdi, 2013) à ¯Ã à à ¯Ã à à ¯Ã à à ¯Ã à Security Requirements for the Rest of Us: A Survey (Tondel, Jaatun Meland, 2008) à ¯Ã à à ¯Ã à Research on software security testing (Tian-yang, Yin-Sheng You-yuan, 2010) à ¯Ã à à ¯Ã à Learning from software security testing (Tà ¸ndel, Jaatun Jensen, 2008) à ¯Ã à à ¯Ã à Security testing: Turning practice into theory (Tà ¼rpe, 2008) à ¯Ã à à ¯Ã à Figure 1: Concept Matrix of the study of Significance of Security Testing
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.