Web applications for various services have gained customers’ confidence over the years. Terabytes of data are loaded and shared across platforms as people assume that the transactions are securely monitored.
But as cyber attacks continue to create panic, the threat to the security of our applications and data in the digital sphere grows stronger. More and more incidents of virus attacks are amplifying the need for robust security testing.
Enterprises that are involved in the connected world need to realize the key reasons security testing is essential for their web applications. These businesses should design modern, all-inclusive security testing plans right at the inception of their projects to ensure a secure customer experience.
Here’s how you can get started.
Look for Potential Security Flaws
The first step is to review the code for any possible vulnerabilities. There are several common areas for security gaps:
- Hidden field manipulations: This vulnerability is mostly exploited for e-commerce websites. Applications embed hidden fields within web pages, and due to poor coding standards, these hidden fields often contain confidential information, such as product prices.
- Cross-site scripting: This is one of the most common vulnerabilities. It lets hackers steal sessions, deface pages, embed content, or redirect users to malicious websites.
- Cross-site request forgery: Many developers neglect the importance of random tokens and reauthentication on a data-critical page. Without them, attackers can commit actions by the users on their behalf, such as adding or deleting an account beneficiary or modifying a user profile.
Perform Security Testing Step by Step
Let’s consider a scenario where a company needs security testing to be performed on its applications built in ASP.NET. What is expected from the testing team? Here’s a step-by-step approach that could capture the solution for the requirement.
1. Plan and strategize
Developing a plan and strategy should always be the first step of security testing. Testers must understand the business reason, the number of users accessing the application, and the application’s workflow in order to identify the specific tests for each scenario.
Prior to execution of any project, it is best to hold a session with the developers to understand the flow of the application. This helps the testers identify logical vulnerabilities, such as authorization bypass, that automated tools cannot identify.
The business should have a ballpark figure of how many users would be accessing the application. Understanding the max number of users helps testers generate virtual users to identify any possible denial-of-service attacks. Nowadays, these attacks are easy to exploit.
2. Perform threat modeling
Modeling high-level threats to the application lets testers gauge possible risks and scenarios associated with it. Threat modeling identifies the weak areas of the application, which helps in tailoring the tests.
After an application’s blueprint is completed, the technical part starts, where the components are identified for development. It could be coding languages, platforms, technology stacks, etc. Each component comes with its own set of weaknesses and strengths, so it is important to identify the vulnerabilities before the coding phase. This helps in identifying other options that are more secure and drastically reduce the cost to fix them.
As an example, if the application is to be developed in .NET, it is important to understand the vulnerabilities present in various components supporting the application, such as the .NET version, IIS version, etc. This helps identify business and architectural threats.
3. Select testing tools
For assessing an application, it is imperative that proper tools are used. Every open source and proprietary tool has its strengths and weaknesses, so tools should be chosen based on what will work the best for the application under test. Open source tools such as Zed Attack Proxy and Nmap also allow testers to modify using custom scripts.
4. Get creative with testing
Even though you should perform some of your security testing with automated tools, as hackers get smarter, it’s important for humans to think outside the box with their testing. Identifying logical vulnerabilities is what differentiates a seasoned tester from a regular tester.
For instance, when it comes to HTTP access control, the CORS mechanism reportedly has low information vulnerability, but if it is coupled with CSRF, it would have a huge impact on the application. This was done for a large bank in Europe. Another instance is an account takeover through host header attacks. A simple change in the host name while requesting a password reset link can prove damaging, as the rest of the link would have the attacker’s domain and they may access the password of your account. This can happen when developers forget to restrict reuse of password-reset links, but a smart tester would know to look for that.
5. Think of security at every step
While a manual web application security test might restrict testing up to a select number of obvious parameters, an automated web vulnerability scanner can ensure that every parameter is scanned for gaps. However, integrating security as a process throughout the software development lifecycle will make sure that the application rolls out more securely, as most of the defects would have been mitigated at a very early stage.
Security testing can be automated once the development is complete and code is built for the application under test by leveraging Jenkins or any automation framework, and the IP and URL can be dynamically fed to open source tools such as Zed Attack Proxy or w3af, or many other commercial tools.
Incorporate Different Types of Security Testing
While these five steps will serve you well, if you want to get specific in your security testing, there are multiple concentrations to consider.
Static application security testing (SAST) involves an internal audit of the application, where the security auditor or a tool tests the application with unlimited access to its source code or binary. It can be done both manually and automatically and checks the application for complicated vulnerabilities that could go undetected.
Dynamic application security testing (DAST) tests the application externally while it runs in the test mode or in the production environment. It helps to track rapidity, flexibility, and scalability of the application for seamless integration with the corporate security strategy.
Interactive application security testing (IAST) combines SAST and DAST and brings together the strengths of both approaches. What types of security testing will be useful totally depends on the business requirements and objectives, but applying both approaches works effectively to bring down the risk of a cyber attack.
Keep Your Users Safe
As with any kind of testing, security testing for web applications should start with strategizing a complete plan and gauging the probable risks and attacks in order to formulate the most effective tests.
While automating your security testing can ease efforts and make the process faster and much more efficient, there has to be a human touch to understand and anticipate the thought processes of potential hackers. Testers need to be creative in their test efforts to keep users safe when using their products.
Good Article to read and understand step by step process. I have enjoyed it. Some Examples could have made it furtner impactful.
Overall I will say keep writing.
I must appreciate you for providing such a valuable content for us. TIt is really a great work and the way in which you are sharing the knowledge is excellent. Helped a lot in increasing my knowledge on Cyber Security.
Great step-by-step checklist of things to keep in mind when doing applicaiton security testing. Your readers might also find concrete examples of how application security solutions impacted their businesses to be helpful.
As an example, this user writes in his IT Central Station review of Veracode, "The benefits are the fact that it identifies our vulnerabilities, and it has improved us by allowing us to pull everything to the left in agreement with our SDLC and with our developers, and have them not only get buy-in because they can run sandbox scans that allow them not to generate metrics, but also run policy scans where we identify what the policy is and what is acceptable. So, it has helped us secure our company and our applications." You can read the rest of his review, as well as reviews for other major application security solutions, here.
As the application based attacks are growing security for web applicationsis becoming really important. Thanks for publishing such an informative post.