How to test application security

Guest post originally published on the Snapt blog by Craig Risi

We constantly read about leaks and security attacks that hit well-known applications. Businesses cannot take security for granted. With so much critical data in play, they must prioritize application security and the process of identifying security flaws to ensure apps are safe. 

However, Security Testing (as it is called in the industry) is complex. So many businesses cannot secure their applications because they are unsure how to verify their security in the first place. 

One of the biggest complexities with software security and testing is the pace of change in the number and types of vulnerabilities. While there are ways to secure your code against common vulnerabilities, there might still be security holes from issues with third-party applications, browsers, operating systems, and networking systems that are often beyond your control. By following the testing methods below, you can detect most (if not all) known security risks and fix these problems during development.

1. Make security testing a part of development.
2. Choose your security testing methodology.
3. Select your security tests.
4. Pick your security testing tools.
5. Document your security testing strategy.

Make security testing a part of development

Some development teams steer clear of security testing because they believe it requires niche expertise, and therefore security professionals and ethical hackers should handle it instead. 

While there is a place for those industries, development teams should attempt to address critical security problems before an application goes live (and without relying on the kindness of internet strangers). It’s unfeasible for most businesses to run applications through a security team every time they deploy an update into production, so dev teams need to develop these security skills and capabilities themselves. 

There is a lot that development teams can bring to the table in the security testing process. The more regularly you test your security, the easier it is to maintain security while delivering rapid updates to your application.

Don’t leave security testing until the end of a project. The earlier you can identify and fix problems, the better.

Choose your security testing methodology

Make sure you choose a methodology that matches the scope of testing you agree with your team, the types of security tests you prioritize, and your team’s capabilities.

• Tiger Box testers typically use laptops with various operating systems and hacking tools. This testing helps penetration and security testers conduct vulnerabilities assessment and attacks.
• White Box testers know the internal workings of the target system. This testing shows what might happen if your source code or other confidential information were to leak.
• Black Box testers do not know the internal workings of the target system but are authorized to test everything about the network topology and the technology.
• Grey Box testers receive partial information about the target system. It is a hybrid of white and black box methodologies.

Select your security tests

Mainstream entertainment may show hackers or security professionals as highly sophisticated coders. Still, the truth is that security testing and ethical hacking mostly rely on procedural tests to find flaws rather than programmatic genius.

There are seven main types of security tests and assessments that you must be aware of and consider applying to your software system. 

1. Vulnerability Scanning uses automated software to scan a system against known vulnerability signatures. It will scan your code and look for parts vulnerable to attacks such as SQL or code injection and other known vulnerabilities in specific code packages.
2. Security Scanning involves identifying network and system risks and solutions to reduce these risks. Much like vulnerability scanning, many tools can scan your code to identify these risks. 
3. Security Auditing is an internal inspection of applications and operating systems for security flaws. It can include a line-by-line code audit.
4. Penetration Testing simulates an attack from a malicious hacker. It will analyze a system to check for potential vulnerabilities to an external hacking attempt. Penetration testing differs from ethical hacking (below) because it reproduces a known approach and can be automated.
5. Ethical Hacking is hacking an organization or application to expose and correct security flaws. Ethical hacking employs a group of hackers following an experimental method to find and replicate flaws.
6. Risk Assessment evaluates the different risks to help identify what you should prioritize. Risk assessment classifies risks as Low, Medium, and High and typically includes additional measures to help you make the right decisions in prioritizing and mitigating risks.
7. Posture Assessment is an extension of risk assessment and combines Security Scanning, Ethical Hacking, and Risk Assessments to show an organization’s overall security posture.

Pick your security testing tools

Security testing is heavily reliant on tools for detecting and assessing vulnerabilities. You should be able to choose the right tools to support your test methodology and test procedures. Here are a few standard tools.

OWASP

The Open Web Application Security Project (OWASP) is a worldwide non-profit organization focused on improving software security. The project has multiple tools for penetration testing various software environments and protocols. 

Flagship tools of the project include:

• Zed Attack Proxy: an integrated penetration testing tool
• OWASP Dependency-Check: scans for project dependencies and checks against known vulnerabilities
• OWASP Web Testing Environment Project: a collection of security tools and documentation

WireShark

WireShark is a network analysis tool previously known as Ethereal. WireShark captures packets in real-time and displays them in a human-readable format. 

It is a network packet analyzer that provides details about your network protocols, decryption, packet information, etc. You can read the information in WireShark’s GUI or the TTY mode TShark Utility.

WireShark is open source and works on Linux, Windows, macOS, Solaris, NetBSD, FreeBSD, and many other systems. 

W3af

w3af is a web application attack and audit framework. It has three types of plugins: Discovery, Audit, and Attack. These plugins communicate with each other. For example:

• The Discovery plugin looks for URLs to test for vulnerabilities and forwards them to the Audit plugin.
• The Audit plugin searches the URLs for vulnerabilities and forwards them to the Attack plugin.
• The Attack plugin tries to exploit the vulnerabilities.

Document your security testing strategy

The final step to testing application security is to document your testing strategy and procedures. Your development team needs to know when and how to test for security. 

Organizations often neglect this step in favor of a flexible ad-hoc approach—however, security benefits from clear documentation for auditing, repeatability, and proper knowledge transfer. A well-documented strategy will ensure your testing is safe, approved, and effective at addressing problems.

Your security testing strategy document should include the following.

• Test scope, timing, safety, and responsibilities
• Test methodologies
• Test cases or scenarios
• Test tools
• Test procedures, including schedules, approvals, and monitoring
• Problem resolution procedures
• Example test data
• Analysis of test outputs from different security tools

Conclusion

You mustn’t compromise application security, so you need a solid strategy for security testing. Firewalls and SecOps teams can only do so much – they cannot compensate for an application riddled with security holes. The best security strategy starts early – in development, so your development team should adopt routine security testing.

Prioritize it, plan it, and document it. Your customers will thank you later.