How to Test Application Security. The need of Security Testing The software industry has achieved a solid recognition in this age. In the recent decade, however, cyber world seems to be even more dominating and driving force which is shaping up the new forms of almost every business. Web based ERP systems used today are the best evidence that IT has revolutionized our beloved global village. These days, websites are not meant only for publicity or marketing but these have been evolved into the stronger tools to cater complete business needs. Web based Payroll systems, Shopping Malls, Banking, Stock Trade application are not only being used by organizations but are also being sold as products today. This means that online applications have gained the trust of customers and users regarding their vital feature named as SECURITY. No doubt, the security factor is of primary value for desktop applications too. However, when we talk about the web, the importance of security increases exponentially. If an online system cannot protect the transaction data, no one will ever think of using it. Security is neither a word in search of its definition yet, nor is it a subtle concept. However, I would like to list some compliments of security. Examples of security flaws in an application 1 A Student Management System is insecure if Admission branch can edit the data of Exam branch. An ERP system is not secure if DEO data entry operator can generate Reports3 An online Shopping Mall has no security if customers Credit Card Detail is not encrypted. A custom software possess inadequate security if an SQL query retrieves actual passwords of its users. Security Definition Now, I present you the simplest definition of Security in my own words. Security means that authorized access is granted to protected data and unauthorized access is restricted. So, it has two major aspects first is the protection of data and the second one is access to that data. Moreover, whether the application is desktop or web based, security revolves around the two aforementioned aspects. Let us have an overview of security aspects for both desktop and web based software applications. Desktop and Web Security Testing A desktop application should be secure not only regarding its access but also with respect to organization and storage of its data. Similarly, a web application demands, even more, security with respect to its access, along with data protection. A web developer should make the application immune to SQL Injections, Brute Force Attacks and XSS cross site scripting. Similarly, if the web application facilitates remote access points then these must be secure too. Moreover, keep in mind that Brute Force Attack is not only related to web applications, desktop software is also vulnerable to this. Crowbar formally known as Levye is a brute forcing tool that can be used during penetration tests. It was developed to brute force some. I hope this foreword is enough and now let me come to the point. Kindly accept my apology if you so far thought that you are reading about the subject of this article. Though I have briefly explained software Security and its major concerns, my topic is Security Testing. In order to know further details of security aspects, kindly refer to Web application security testing article. I will now explain how the features of security are implemented in software application and how should these be tested. My focus will be on Whats and Hows of security testing, not of security. Every nerd loves a good tech war Windows vs Mac, Apple vs Android, Intel vs AMD. They give us something to armchair argue about over beers with friendsor to rant. Passwords Cain Abel Cain Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the. Comment Just under 90 Parliamentary email accounts were compromised by a brute force attack on the parliamentary network over the weekend. And there is a long. Security Testing Techniques 1 Access to Application Whether it is a desktop application or a website, access security is implemented by Roles and Rights Management. It is often done implicitly while covering functionality,E. Hospital Management System a receptionist is least concerned about the laboratory tests as his job is to just register the patients and schedule their appointments with doctors. So, all the menus, forms and screen related to lab tests will not be available to the Role of Receptionist. Hence, the proper implementation of roles and rights will guarantee the security of access. How to Test In order to test this, thorough testing of all roles and rights should be performed. The tester should create several user accounts with different as well multiple roles. Then he should use the application with the help of these accounts and should verify that every role has access to its own modules, screens, forms, and menus only. If tester finds any conflict, he should log a security issue with complete confidence. This can also be understood as authentication and authorization testing which is very beautifully depicted in below image So, basically, you need to test about who you are and what you can do for distinct users. Some of the authentication tests include a test for password quality rules, test for default logins, test for password recovery, test captcha, test for logout functionality, test for password change, test for security questionanswer, etc. Similarly, some of the authorization tests include a test for path traversal, test for missing authorization, test for horizontal access control problems, etc. 2 Data Protection There are three aspects of data security. First one is that a user can view or utilize only the data which he is supposed to use. This is also ensured by roles and rights. E. g. a TSR telesales representative of a company can view the data of an available stock, but cannot see how much raw material was purchased for production. So, this aspect of security testing is already explained above. The second aspect of data protection is related to how that data is stored in the DB. All the sensitive data must be encrypted to make it secure. Encryption should be strong, especially for sensitive data like passwords of user accounts, credit card numbers or other business critical information. Third and the last aspect is an extension of this second aspect. Proper security measures must be adopted when the flow of sensitive or business critical data occurs. Whether this data floats between different modules of the same application or is transmitted to different applications, it must be encrypted to keep it safe. How to Test Data Protection The tester should query the database for passwords of the user account, billing information of clients, other business critical and sensitive data and should verify that all such data is saved in encrypted form in the DB. Similarly, he must verify that data is transmitted between different forms or screens after proper encryption only. Moreover, the tester should ensure that the encrypted data is properly decrypted at the destination. Special attention should be paid to different submit actions. The tester must verify that when the information is being transmitted between client and server, it is not displayed in the address bar of a web browser in an understandable format. If any of these verifications fail, then the application definitely has a security flaw. The tester should also check for proper use of salting appending an extra secret value to the end input like password and thus making it stronger and more difficult to be cracked. Insecure randomness should also be tested as it is a kind of vulnerability. Another way to test data protection is to check for weak algorithm usage. For example, since HTTP is a clear text protocol, if the sensitive data like user credentials are transmitted via HTTP, then it is a threat to application security. Instead of HTTP, sensitive data should be transferred via HTTPS secured through SSL, TLS tunnel.