The recent security breach of Yahoo user accounts have created ripples globally. Besides being the largest breach in the history of the Internet, (it affected 1 billion accounts), the security mishap has also broken Yahoo’s own humiliating record of the September 2016 which affected half a billion users. Since 2013, the company has been in the news for all the wrong reasons. Hackers have been able to steal names, email addresses, telephone numbers, encrypted or unencrypted security questions and answers, dates of birth, and encrypted passwords. Experts fear that this information could be used as a precursor to retrieve more sensitive information.
What caused the breach?
The December 2016 breach traces back to 2013 when customer data linked to 1 billion accounts was stolen. A lot of this data was unencrypted, making it super easy to be read. The lack of sufficient security mechanisms and flaws in the existing security systems led to the attack of such a size and scale.
Why is Security Testing important?
Computers are connected globally more than ever before. The increasing extensibility and complexity of systems have imposed a pressing need for government, businesses and organizations to act before it’s too late, and not take security for granted if they have never been attacked before.
The purpose of security testing is to ensure that protected data can only be accessed in an authorized manner, and unauthorized access is restricted. The process of testing is carried out in a controlled environment, usually by people called ethical hackers, to reveal potential loopholes that attackers can use to gain unauthorized access to applications.Known aspenetration testing, this is one of the commonly usedapproaches and it is performed after the application is ready.
Functions of Security Testing
An application is said to be adequately secure, if it fulfills the following parameters:
- Confidentiality – it ensures that information is disclosed to none other than the intended parties
- Integrity – it ensures that information is protected against manipulation/modification under all circumstances
- Authentication – confirming identity of individuals, authenticity of products and programs etc.
- Authorization – establishing whether or not an individual is allowed access a service or perform an operation
- Availability – ensuring that information and/or communication is available and ready for use by authorized persons
- Non-repudiation – assurance that the sender or receiver cannot deny the authenticity of their digital signatures
How to perform Security Testing?
Some common approaches and techniques to security testing along with their scope are briefly given below:
- Access to application – done through roles and rights management
- Brute-force attack – securing against repeated logins by hackers who guess passwords using tools, by installing account suspension mechanisms such as blocking the account or suspending it.
- Data Protection – to ensure that a given user views only what he/she is supposed to, and to check how data is stored in the database.
- SQL Injection and XSS – by defining maximum lengths of input fields and checking for anonymous access methods to prevent a website from being manipulated.
The Open Web Application Security Project (OWASP) is a security testing standard/guide. The OWASP community has also created a knowledge repository of articles providing guidance on the techniques to use when building a testing program:
- Manual Inspections and Reviews – to test for security consequences of people, policies and processes
- Threat Modeling – risk assessment for applications from attacker’s perspective
- Code Review – manual checking of the source code of an application to unearth security threats
- Penetration Testing – ethical hacking; testing a running application remotely to discover vulnerabilities
With so many approaches and techniques, the task of security testing can be intimidating because it can be difficult to choose the approach best suited to one’s application. Moreover, techniques often must be used in conjunction with one another to develop a robust testing standard that ensures security against all possible threats. The OWASP recommends a balanced approach that tests as the application is built.
When to perform Security Testing?
The ideal thing to do is to incorporate testing mechanisms into each of the phases that make up a Software Development Life Cycle (SDLC). Broadly speaking, a SDLC consists of the following elements, though these can be (and should be) customized to suit application needs:
Since SDLC is commonly known to developers, it becomes all the more lucrative to induce security into it and leverage the procedures that are already in place.