Introduction to security auditing
Security audit is the final and the most important step in implementing security defenses. When you build your service, you always have to remember to make it as safe as possible. The bigger it is, the most important its security is. The first step is to run a risk analysis in order to find possible holes and find out what type of attacks you can expect. The second step is to develop a proper policy to defend against them. Finally, you undertake a security audit to check if it really works.
What type of tests can we use?
In order to check for possible attacks, we can use penetration testing (informally pen test). They are controlled attacks that look for security weaknesses. Their goal is to check our security system against known possible threats and return the report (what do we need to improve?). Thanks to that we can identify which defenses are effective and which ones (if any) are defeated and need to be fixed. A penetration test target may be either white box (provides background and system information) or black box (provides only basic information or no information at all except the company name).
We’ve compiled some Websites and Tools that can help you learn more about Penetration Testing:
Risk-based testing (RBT)
In this kind of test we prioritize and emphasize what risks are the most important to us. With this knowledge we can choose and prepare proper tests during test execution. Shortly – we can call “risk” to an undesirable outcome which we want to ensure that it won’t happen. There is not always enough time to efficiently check all security areas, so risk-based testing concerning the functionality of the systems that have the highest impact and probability of failure can be the best choice.
We can summarize the whole idea of Risk-based testing in a few points:
- it starts from the early beginning. We try to define the most
dangerous threats and with this knowledge we try to prepare
proper plans for testing.
as it accompanies us during the whole development process, it’s
very helpful in reducing the likelihood of defects and creating
working workarounds (and test them as well).
allows us to define what threats are the most
dangerous to us and which ones we still have to work on.
it measures how well we are doing in reducing the probability of
failure. If we know we can’t deal with something, we can search for tools and people to help.
Heuristic Risk-Based Testing
How to choose what to test more and less
What is Risk Based Testing in Software testing?
Risk Based Testing, Strategies for Prioritizing Tests against Deadlines
Risk-Based Testing What It Is and How You Can Benefit
RBT Tutorial at guru99
Most common type of attacks
Cross-Site Request Forgery (CSRF) is a very simple attack. It basically uses two facts. One, communication between server and client is based on requests. Two, cookies are sent automatically to the server. CSRF attack allows an attacker to execute authenticated actions without user knowledge and approval. It depends mainly on forcing the browser to execute malicious requests and using an user logged in status. Learn more about CSRF:
What is CSRF?
Cross-Site Request Forgery Guide: Learn All About CSRF Attacks and CSRF Protection
CSRF Attacks, XSRF or Sea-Surf – What They Are and How to Defend Against Them
How to Prevent Cross Site Request Forgery (CSRF) Attacks in PHP
Do Your Anti-CSRF Tokens Really Protect Your Web Apps from CSRF Attacks?
Robust Defenses for Cross-Site Request Forgery
You can also take a look here for more information:
While XSS works on the client side, the SQL Injection uses databases. SQL Injection attack uses the form system in order to manipulate the data. Let’s say your query look like this:
If attacker changes the proper id to the string like this
1' OR '1'='1, your query will look like this:
= '1' OR '1'='1'
…and in result it will delete all the users from the table.
In order to understand this better you can watch a great Computerphile video about this subject.
Other links for more info:
The Denial of Service (DoS) is a type of attack that is focused on making a resource unavailable. It uses a mechanism of sending massive amount of requests to the server making it incapable of returning the result. It’s a very common attack and not so hard to prepare. It’s often hard to defend against it because defining if a request is valid or if it’s an attack is not always so easy. Learn more about DoS:
How to prevent those attacks if you’re not an expert?
Most important of all, use solid solutions. Don’t try to reinvent the wheel and to do everything your way. Before building your application try to find a solid base. Check for secure and popular frameworks. They’re often made by experts and their popularity makes them really secure. No one is perfect, but if they’re checked everyday by its users, the holes and errors are easy to eliminate. Deciding to stick with your hand-made framework could bring a lot of harm if an attack really occurs. You can also use security frameworks in order to help yourself in security auditing. Learn more about them here.
Try popular tools. Don’t be afraid of using the captcha mechanism, testing automation tools and so on. There are many of them in the market. You could check SoapUI, TestingWhiz… It could really make your life easier.
If you can afford it, the ideal situation would be to hire an external professional team. It’s the most expensive case but surely the best one. Try to find an expert to back you up in terms of security. It can be really useful. He will always see a lot more than you because he knows more about the threats out there. If you can’t afford an expert for a whole development process, try to find him after finishing the job. Make him check security and after all…
…do a quality security audit. And if the results aren’t perfect repeat the whole process. It’s pointless to carry it and ignore the results. Also, don’t check only for holes. Check efficiency of the security improving solutions. For instance, if you deploy a strong password changing policy, make sure there is no way to bypass this function. Let’s say you require changing password every week. If you don’t design it well, you could, for instance, give the user possibility to change it just only to return to the old password after a minute. Password has been changed? Yes! But… it won’t do any good.
Try to be as detailed as you can. Check for everything, not only for most common type of attacks. Even big names we all have heard of have been the victims of imperfect security systems. Thus, it is certainly not a piece of cake.
Does good security auditing make you completely secure? Not really. They say, your security audit is as good as the auditors, but there aren’t perfect tools and perfect people. However… try to make it as safe as possible. If you are going for a poor audit, better to not do it at all. Weak security auditing can leave you with a false sense of security that is extremely dangerous for your organization.
So if you do it, and you should, try to be as effective as you can. There can be no shortcuts! Use the best tools, hire the best auditors, do the most detailed audits and don’t try to save some money here! If you save it now, there’s a very high risk of losing it in the future.