Security Testing 101

A comprehensive security testing process must keep pace with vulnerabilities and potential threats to help developers fortify their products, identify loopholes and remedy them to protect individuals and organisations from cyber attack.

There are several examples of data theft and security issues with mobile and web applications.

While security issues that affect prominent institutions and large organisations are reported in the media, it is a major problem inflicting firms and institutions of all sizes – from startups and SMEs to large corporations.

Of course, this means that developers and the testing community is constantly working towards making software more robust, defensible and secure.

A Markets and Markets report suggests that security testing market will be worth $4.96 billion by 2019, up from $2.47 billion in 2014.

Cloud, mobile, Internet of Things – all these are set to boost app usage across devices, increased data aggregation online, and thereby, greater data vulnerability and the need for a robust security testing services process.

A 2015 NetDiligence Survey shows that the most vulnerable segments for cybercrime are the Healthcare, Financial, Legal, and Retail industries.

While cybercrime against large banks, retailers, and federal agencies become news, small and medium businesses are not immune to it.

A Microsoft estimate suggests that 20 per cent of small to mid-sized businesses have been cybercrime targets.

Three Kinds of Hackers

A system can be penetrated by three kinds of hackers:

• Black hat hackers breach internet security to penetrate networks
• White hat hackers are ethical hackers who mostly test vulnerabilities and enable developers to enhance the security
• Grey hat hackers typically are hackers from within the system, breaching protocols

Six Kinds of Security Vulnerabilities

Penetration can be of different types, broadly categorised as follows:

Web parameter tampering: 

The user manipulates parameters exchanged between client and server and modifies application data such as user credentials, permissions, price or quantity of products, etc. for their benefit.

Database Tampering: 

compromising the databases that support the system and store data critical for business or running of the app

Cookie Stealing: 

A validcomputer session is exploited to gain unauthorized access

Cross-site Scripting: 

An attacker injects malicious scripts on the client-side code to redirect the website link.

Cross-site Request Forgery: 

Also called one-click attack or session riding, unauthorised commands from a user that the website trusts are transmitted. This is also called phishing and is used to acquire sensitive information such as usernames, passwords, and credit card details, and sometimes, indirectly, even money.

Privilege Escalation: 

To hack into a senior’s ID and misuse privileges.

How Safe Are You?

It is not just large organisations that are vulnerable. Every organisation stores its financials, HR details and client details on its system, and is therefore of interest to attackers looking to make a quick buck capitalising on any loophole in any system.

Most computers run Oracle Java, Adobe Reader or Adobe Flash and all of these are vulnerable to cyber attacks.

According to one estimate, nearly 59 per cent of employees steal proprietary corporate data at the time of quitting or being fired; or there could be malicious intentions. Careless insiders are another potential security threat.

Why Security Testing

• A white hat hacker, also called ethical hacker, tests for vulnerabilities in a focused and knowledgeable manner, thus identifying possible penetration risks.
• Data integrity and functionality are assured.
• Information leakage due to encryption, firewall, or other software, also is exposed.
• It helps strengthen the software against potential attack.