Detecting Software Security issues before Hackers Strike

Detecting Software Security issues before Hackers Strike

In today’s connected IT world, the damage caused due to online security breach is well known. The brand and reputation of the enterprise is damaged if hackers gain access to corporate systems, and it also costs a lot of dollars in order to repair the damage caused. The consequences are similar for businesses dealing in creating embedded and mobile systems when their software are hacked.

The IT network is the path travelled by hackers to gain access to critical systems. Because of this, the general tendency being followed is deploying the security methods to detect and prevent breaches at the network level. Firewalls are used by Enterprises as an attempt to restrict the unauthorised access and analytics is being widely used to detect abnormal data usage activities which can be used as a source to signal an attack. But, many businesses don’t realize that if steps are taken much earlier in the process, it will be easy as well as cost effective to prevent security breaches. It starts with the testing the software code used to power the business applications and the embedded systems. Developing the applications with secure software code helps an enterprise prevent attackers from accessing valuable data and also save a lot of money, time and effort spent in mitigating it.

Security Starts with Developers

If the security issues are addressed in the software development phase, it will save almost 80-90% of the cost and effort spent compared to when dealing with issues in production. Hence, the developers should be ideally positioned and equipped to protect the businesses from heavy costs involved, bad publicity and customer dissatisfaction caused due to security breach.

Several Government and Industrial Organizations have also come out with standards to try and mitigate the damage caused by security breaches in order to achieve secure software codes. E.g. CERT Secure Coding Initiative works in collaboration with the Software Developers and the Organizations developing Software to reduce the vulnerabilities which result from coding errors that are developed in software before deployment. Security Technical

Implementation Guides (STIGs) contains the technical guidance on locking down information systems and software that may be vulnerable to malicious computer attack.

These Organizations working behind standards are well aware of the risks that are involved when hackers look for avenues and attack. E.g. If the website of any retail giant is hacked and Credit Card details are exposed, it will make the headlines globally, letters will have to be sent to the affected and also the affected ones will be compensated by the retailer. The banks will eventually have to replace the Debit/ Credit Cards to avoid future risks. All this will lead to loss of a huge amount of money. If the attackers target industries like Automotive, Oil and Gas, etc. then the consequences may be even more severe as it may lead to fatal accidents, explosions, etc. Hence, the role of Developers is of utmost importance in order to analyse the security breach during development and deploy methodologies to avoid them.

Prevention is the Best Medicine

Keeping the enterprise software applications and embedded systems secure is like managing the health of a person by preventing attacks from infections and other disease history. The best treatment method to avoid any security issue is prevention and it is best if it starts early. Many-a-times software developers are clueless on how to develop more secure software and what approach to follow in order to achieve the same.

The best practice to be followed to achieve the objective of developing secured codes is to educate and arm the Software Development Organizations with the right set of tools to help prevent the threats/attacks. Some of these tools may include Static Code Analysers which can help automate the process of detecting potential security vulnerabilities in the source code and help in identifying where open source code is used in software so that vulnerabilities can be tracked and avoided. The usage of right tools will help the Developers to simplify the approach, shorten the duration and improve the process of detecting security threats in software and mitigate it easily.

Gallop can help you in every stage of software development lifecycle to deliver a superior end product. Please contact our security testing specialists for a free assessment.

gallop-software testerAbout the Author: Abhijeet Srivastava is an Associate Manager at Gallop Solutions. He is a part of Enterprise Solutions Group which primarily helps convert Leads to Deals by devising the best solutions. He holds a B.Tech in Electronics & Communication Engineering from Sikkim Manipal Institute of Technology and PGDM from TAPMI, Manipal. His Core Skills are Business Analysis, Sales pitch, Architecting Solutions, building Proposal, etc.
The opinions expressed in this blog are author's and don't necessarily represent Gallop's positions, strategies or opinions.

Getting Started with Risk-Based Testing

risk based testing, software testing, functionality testing, vulnerability testing, security testing, quality assurance testing, software testing services, software testing company, gallop solutions review, gallop solutions, operation risk testing, external risk testing, technical risk testing, product testing, performance testing, usability testing

What is Risk?

A Risk, essentially is a possible problem. That is, it is some event that may, or may not happen, depending on other variables. In the software testing arena, a risk may be defined as a potential occurrence (leading to loss) which is a result (usually undesirable) of the presence of an issue or a bug in the product. Testing for these unwanted, possible events is known as risk-based testing.

Additionally, the definition of risk is incomplete without introduction to mitigation and contingency.

  • Mitigation: Mitigation is the act performed that reduces the possibility to defects to show up.
  • Contingency: This is the backup plan of action to be performed in case a risk becomes a possibility, and which helps to reduce the impact.

Types of Risks

In theory, there may be innumerable risks. However, following is a list of the most commonly faced risks in different domains:

Business or Operational Risks

  • Over dependence on a specific system, subsystem, function, or feature
  • Business-Criticality of a feature or function, subsystem, including the cost of failure

External Risks

  • Security related loopholes
  • Integration failures – of product or website pages
  • Regulatory requirements
  • Failures of functions
  • Performance and Usability related failures

Technical Risks

  • Collocated development teams
  • Complexity of a product

What is Risk-based Testing?

Risk-based testing (RBT) is an organizational principle that helps to prioritize testing the features and functions of a software according to the probable risks of failure, the need of the function, etc.

RBT thus is a ranking of tests, and subtests, for functionality. Tools and techniques such as equivalence partitioning, state transition tables, decision tables, boundary-value analysis, Path Flow testing, all-pairs testing etc. help assess the most risk-prone areas.

As there usually is not enough time to test complete functionality of a product, RBT involves testing the functionality that has the highest probability of failure – and thereby biggest impact.

RBT, to be fully effective, must be started in the initial stages of product development. It involves:

  • Identifying risks to system quality and guiding the process of planning, preparation and execution of the tests.
  • Risk analysis that helps identify opportunities to remove or prevent defects.
  • Mitigation–testing (that reduces the possibility of high-impact defects) and contingency–testing (that identifies the possible work-arounds for the defects found).
  • Measuring the effectiveness of finding/removing defects in critical areas.

4 Phases of Risk Based Testing Process

There are four main phases to be kept in mind while executing RBT:

  1. Identify and define all the possible risks for all the functional modules of the application under test (AUT) and assign them to the responsible stakeholders.
  2. Prioritize the tests based on the criticality of the risk associated. Come to an agreement on the prioritization, and update the functional requirement document and shared with the stakeholders.
  3. Plan and define tests according to requirement prioritization.
  4. Execute tests according to the accepted functional document.

Advantages of Risk Based Testing

  • As all the critical functions of the application are tested, it improves the overall quality of the product.
  • Planned prioritization helps take care of the business-critical areas which ensures that the product even in case of a risk-impact, does not get impacted much. On the other hand, you must keep in mind to test even the low-ranked risks so that they do not become real and cause trouble.
  • Since the problem areas are discovered early, preventive measures can be started immediately – which ends saving a lot of time and costs during production.
  • In case of limited resources (time or team), it helps as a negotiating tool for prioritization.
  • Helps make testing a better planned and organized activity.
  • Continuous monitoring of risks helps focus on the complete testing strategy and goal throughout the testing life cycle.
  • Improves customer satisfaction.

That said, the main objective of risk-based testing is to perform testing in accordance with the best practices in risk management. This helps create a product that is properly balanced in terms of quality, features, budget and schedule.

At Gallop, we cover all the bases and ensure that effective testing is performed by the right set of experts. We ensure the best quality for your product and that your customers are happy. Our tool agnostic test automation frameworks ensure accelerated testing so that you get higher productivity and an enviable time to market.

Icon vector designed by Freepik

The opinions expressed in this blog are author's and don't necessarily represent Gallop's positions, strategies or opinions.

10 Critical Activities to Test Security of Mobile Applications

10 Critical Activities to Test Security of Mobile Applications

3G and 4G network enabled smart phones are today being used more and more for accessing the Internet, for performing financial, business, and social transactions, and for media consumption. However, the safety of the data being consumed by the end user using the apps distributed via mobile application stores, poses a big security issue.

To add to this, Gartner predicts that almost 25% of organizations will launch their own apps by 2017.

While this will make creating new apps much more efficient, it may also become a reason-of-feast for the hackers as they will have more to hack into. It’s only a full-fledged security testing enabled environment that will save the apps (and the companies) from otherwise leaking a big load of personal data from the mobiles.

In short – security of the apps will be vitally business-critical.

So, what can be done about this? What really is needed?

An app testing strategy that will not only analyse the security risks involved of using an app on the smartphones – but also support in eliminating the same.

When the men-in-the-middle (MITM) attack apps that communicate sensitive information, and manipulate the same for their benefit, a secure SSL certificate validation* can mitigate the risk. However, this is easier said than done as billions of app users use risky untrusted networks, making them an easy prey to the MITMs.

All mobile apps fall in one of the following three main categories:

  • Native apps – These are written to run only on a specific platform and supported devices. For example, an iOS app runs only run on iPhone.
  • Web applications – These are built using standards like HTML5 and can be accessed by any mobile device.
  • Hybrid applications – These apps usually have a layer of native application around a Web-based user interface and provide the best of both worlds.

Gartner analysts suggest that more than 50% of deployed apps will be hybrid by 2016 – for all the obvious reasons.

Mobile Security Testing Process – An Overview

Like everything else, providing security testing for apps needs a method to overcome the madness. Here are three basic steps suggested by experts in the field that must be performed to achieve the desired objective:

  1. Intelligence Gathering (gather as much as possible information about the app)
  2. Threat Modeling (identify threats for the app – specific or prepared)
  3. Vulnerability Analysis (identify vulnerabilities in the app with the previous created test cases using Dynamic methods (Passive network monitoring and analyzing), Runtime analysis (analyzing the communicating process for internal components (Android: Intents; iOS: objc_msgSend calls), and Forensic methods (Timeline analysis)

Reference: Security Testing Guidelines for Mobile Apps by Florian Stahl & Johannes Ströher

10 critical activities to be performed to make apps secure

At a broad level, we need to test the following to ensure mobile app security: Data leakage, flow, and storage capabilities, encryption, authentication, server-side controls, and points of entry.

Ten specific activities to be performed while testing the Security of Mobile Applications are:

  1. Automated security testing of mobile applications for multiple mobile devices across multiple platforms over diverse networks
  2. Use of a cloud-based mobile Testing Lab that enables uploading locations or the actual apps themselves for testing
  3. Performance of a huge variety of automated security tests for identifying embedded spywares, viruses, Trojans, data privacy, data leakage, unsolicited network connections, etc.
  4. Dynamic analyses and testing of apps in labs providing the required environment to verify security issues such as insecure file system, insecure data transmission, unsafe data storage, privilege access violations, etc.
  5. Analyses of results for each mobile application.
  6. Assessment of automated code that helps IT teams secure mobile apps in agile-based environments.
  7. Inspection of all features of the apps in real-time in controlled environments, and comparison of the results against a plethora of known applications.
  8. Assessment of the apps using binary static analysis that expose malicious capabilities and vulnerabilities such as leakage of information.
  9. Assessment of whether or not an app has been built according to the peculiar demands of compliance in your industry, as it is vital to follow the right standards for regulations and mandates.
  10. Last – but definitely very important – keep checking and testing for the new security threats that keep surfacing ever so often.

Conclusion

To cover all the bases and ensure that effective testing is performed, a third-party organization with the right expertise can prove to be your best bet. At Gallop, security testing forms a critical part of our mobile test strategy. Our security testing is thorough and makes use of reusable test scenarios so that your app is secure and your customers happy. Our tool agnostic test automation frameworks ensure accelerated testing so that you get higher productivity and an enviable time to market.
* A study conducted in late 2012 established that almost 17% of the tested Android apps do not fully validate SSL certificates.

Banner_06

The opinions expressed in this blog are author's and don't necessarily represent Gallop's positions, strategies or opinions.