SlideShare ist ein Scribd-Unternehmen logo

Marlabs Test Digest January 2014

Marlabs
Marlabs

This is the time when we in the software industry look forward to new developments, trends & opportunities in the year ahead. As per Gartner, " The convergence of 4 powerful forces social, mobile, cloud and information, continues to drive change and create new opportunities". Included in Gartner's top ten technologies and trends that will be strategic for most organizations in 2014 and the near future are - Mobile tech 1) Device diversity 2) Growth of apps. Cloud - 1) Hybrid Cloud, 2) Personal Cloud, 3) Cloud-Client architecture, apart from others like the the Internet of Things, Smart Machines etc. Even in our context, we have seen during 2013 that many of the new projects had a strong presence of mobile testing, testing for multiple platforms,/devices/browsers, cloud abased test environs and functional./performance testing delivered over the cloud. This looks all set to continue and grow further during the year. We have a focus to deepen competencies and come out with value added solutions specifically in these areas - of which you will hear more in the days to come, .

Technologie
1 von 7
Downloaden Sie, um offline zu lesen
January 2014 Marlab’s I N S I D E T H I S I S S U E : Security Testing : An Overview 2 Marlabs Testing Updates 6 Quality News & Views 7 Know Your Mate 8 Cartoon Space 8 We look forward to collaboratively expand the growth of Testing services at Marlabs and make 2014 a successful year for all of us. Volume V
T E S T D I G E S T © 2 0 1 4 M A R L A B S S O F T W A R E P V T L T D P A G E 2 In 2009, Heartland Payment Systems, Inc., A leading provider of debit, prepaid, and credit card processing company which processes more than 11 million transactions a day and more than $120 billion transactions a year acknowledged that it had been the target of a data breach with 134 mil- lion credit and debit cards exposed to fraud. A group of Hackers used most commonly used SQL injection to install spyware on Heartland's data systems and stole the credit card data. It could have been avoided if proper and complete security testing had been performed on the application. It is clear that attacks targeting web applications are on the rise, as stories like these are all too common. Common flaws such as SQL injection, cross-site scripting, poor input validation and broken authentication conditions make it possible for attackers to easily infiltrate these applications to disrupt application availability and destroy or steal sensitive and private information like Social Security numbers and credit card numbers. Also, vul- nerable web applications not only allow these miscreants to steal and manipulate information within that application, but also to use it as an entry point to the corporate network and back-end applications. In order to understand security testing, we will have to first understand what security is: What is Security? Security is a set of measures to protect an application against unforeseen actions that cause it to stop functioning or being exploited. Unforeseen actions can be either intentional or unintentional. What is Security testing? Security Testing ensures that system and applications in an organization are free from any loopholes that may cause a big loss. Security testing of any system is about finding all possible loopholes and weakness- es of the system which might result into loss of information at the hands of the employees or outsiders of the Organization. Ashwani Singha
The goal of security testing is to identify threats in the system and measure its potential vulnerabilities. Security testing of any applications or software should cover the six basic security concepts: 1. Confidentiality: A security measure which protects against the disclosure of information to parties other than the intended recipient. 2. Integrity: A measure intended to allow the receiver to determine that the information which it is providing is correct. 3. Authentication: The process of establishing the identity of the user. Authentication can take many forms including but not limited to: passwords, biometrics, and radio frequency, identification, etc. 4. Authorization: The process of determining that a requester is allowed to receive a service or perform an operation. 5. Availability: Assuring information and communications services will be ready for use when expected. Information must be kept available to authorized persons when they need it. 6. Non-repudiation: A measure intended to prevent the later denial that an action happened, or a com- munication that took place etc. In communication terms this often involves the interchange of authen- tication information combined with some form of provable time stamp. Integration of security processes with the SDLC: One of the most common questions is when to perform Security Testing? Most of the people believe that effective way to perform security testing is , when application is completely developed and de- ployed on production like environment (often referred as Staging or Pre-Prod environment). But it is more effective when implemented during every phase of SDLC. It is always agreed, that cost will be more, if we postpone security testing after software implementation phase or after deployment. So, it is necessary to involve security testing in SDLC life cycle in the earlier phases. Let’s look into the corre- sponding Security processes to be adopted for every phase in SDLC P A G E 3 continuation of ‘Security Testing ..’ T E S T D I G E S T © 2 0 1 4 M A R L A B S S O F T W A R E P V T L T D SDLC Phases Security Processes Requirements Security analysis for requirements and check abuse/misuse cases Design Security risk analysis for designing. Development of test plan including security tests Coding and Unit Testing Static and Dynamic Testing and Security white box testing Integration Testing Black Box Testing System Testing Black Box Testing and Vulnerability scanning Implementation Penetration Testing, Vulnerability Scanning Support Impact analysis of Patches
P A G E 4T E S T D I G E S T © 2 0 1 4 M A R L A B S S O F T W A R E P V T L T D Application security Application Security is usually the use of software, hardware, and procedural methods to protect applications from external threats. Application Security Testing Objective The major objectives of the Application Security Testing are to: 1. Identify and understand the existing vulnerabilities 2. Provide recommendations and corrective actions for improvement 3. Examine and analyze the safeguards of the system and the operational environment How to Approach Application Security Testing : There are many ways to perform Application security testing but a key approach is Web Application Penetra- tion Testing (WAPT). WAPT is a legally authorized, non-functional assessment, carried out to identify loop- holes or weaknesses, otherwise known as vulnerabilities. These vulnerabilities, exploited by a malicious user (attacker/hacker), may affect the confidentiality, integrity, availability of the web application and/or infor- mation distributed by it. Some of the loopholes or vulnerabilities plaguing web applications are SQL Injection (Structured Query Language Injection), XSS (Cross Site Scripting), CSRF (Cross Site Request Forgery), Remote File Include, etc. Apart from these, vulnerabilities may exist in the underlying infrastructure like Operation System, Web Server, Application Server, Database Server, etc. Thereby, WAPT aims at identifying and re- porting the presence of these vulnerabilities. Benefits of WAPT : 1. Proactive protection of information assets against hacking and unauthorized intrusions 2. Provides an insight into the current security posture of the given web application 3. Provides a hacker’s eye view of the web application 4. Aids in mitigating costs improving goodwill and brand value WAPT Methodology Overview : WAPT is carried out in a phased manner in order to ensure optimum coverage and at the same time simulate the fluid actions of a real time hacker. The following figure depicts the flow: continuation of ‘Security Testing ..’ “There are 10 types of people in this world: those who un- derstand binary and those who don’t. “ -- Anonymous
P A G E 5T E S T D I G E S T © 2 0 1 4 M A R L A B S S O F T W A R E P V T L T D There are five phases to perform WAPT on the Application under testing. Phase 1:- Information Gathering This is the most critical phase in the methodology as all further phases depend on this. As a part of this phase, information about the target web application collected. It includes detail of all soft- ware, Hardware, server, end users and information provided by the application Phase 2:- Planning and Analysis All the data gathered in the above phase, is converted into usable information, in the form of a customized test plan. An important step in this phase is to prepare a checklist of tasks or areas (URLs) or applicable vulnerabilities to cover. 0 Phase 3:- Vulnerability Assessment This phase can also be dubbed as active information gathering phase. Various automated scans run against the target application and its underlying infrastructure (server(s) and network) to get the list of all such areas within application which can be exploited by hackers or vulnerable to malicious attacks. There are many vulnerability assessment tools like Nessus and SARA which can be used to perform vulnera- bility Assessment. Phase 4:- Attack/Penetration It is under this phase that the actions of a web application hacker are emulated. Based on the information gathered and analyzed in previous phases and following the customized test plan, attacks are carried out to identify the presence of vulnerabilities in the application. The techniques and tools used should be the same as those used by a real hacker. This is done in order to gain a hacker’s eye view of the application. There are many automated tools which can be used to perform Pen test. In most of the cases single tools does not fulfill the entire requirement so a combi- nation of tool is required to get the maximum result. Web- Scarab, NMAP, BURP Suite, IBM App Scan, Acunetix Vulnera- bility Scanner, HP Web Inspect etc. are few tools which one can use to perform Pen test. Phase 5:- Reporting At the end of the Attack/Penetration phase, a comprehensive report prepared detailing each finding, assign- ing a suitable severity level to each, delineating the steps necessary to reproduce the vulnerability, and sug- gesting recommendations to address every vulnerability found during assessment. Top 10 list of web Application security threats The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization focused on improving the security of software. Most of the companies who do perform security testing fol- low OWASP model and top threats to validate their application. Based on the ongoing trend and attacks in web world they prepare top 10 list of web Application security threat every 3 years. On June 6, 2013, OWASP foundation released the official updated Top 10 web vulnerabilities list for year 2013 onwards. These top ten threats should always be considered when performing Security testing on any web application. For the current list of top 10 threats, please refer to https://www.owasp.org/index.php/Top_10_2013-Top_10 continuation of ‘Security Testing ..’ "Everything is theoretically impossible, until it is done.” – Robert A. Heinlein
P A G E 6 Website Security Webinars & Presentations This takes to a collection of presentations and webinars focused on Web App Security https://www.whitehatsec.com/resource/presentation.html Testing Principles through Story Telling Understanding the testing principles through story telling helps in understanding the principles through stories. http://www.techgig.com/webinars/Testing-Principles-through-Story-Telling-460 Testing @ Cross Roads Evolution of Testing thru the evolution of disruptive & emerging technologies http://www.techgig.com/webinars/Testing-Cross-Roads-457 Webinars >> Automated Security Testing of web applications using OWASP Zed Attack Proxy This doc talks about the security testing tool ZAP https://blog.codecentric.de/en/2013/10/automated-security-testing-web-applications-using-owasp-zed-attack-proxy/ SANS Mobile Application Security Whitepaper This talks about the current state of organizational awareness regarding mobile application risk as well as how enterprises are mitigating this risk https://info.veracode.com/whitepaper-sans-mobile-application-security.html A Strategic Approach to Web Application Security This white paper breaks down the total cost factors of Web application security in specific risk categories associated with successful attacks https://www.whitehatsec.com/resource/whitepapers.html SQL Injection Cheat Sheet Find out how attackers exploit SQL flaws and how to fix and prevent SQL Injection vulnerabilities. https://info.veracode.com/sql-injection-cheat-sheet.html ThreadFix Open Source Software Vulnerability Management Tool This doc talks about the security testing tool ThredaFix http://www.denimgroup.com/resources-threadfix/ Cyber-Security Risks in Public Companies Study of Software Related Cyber-Security Risks in Public Companies https://info.veracode.com/state-of-software-security-volume-4-supplement.html eBooks , Whitepapers & Columns >> T E S T D I G E S T © 2 0 1 4 M A R L A B S S O F T W A R E P V T L T D Cloud Security for e-commerce & banking Ways to implement security on cloud environment http://www.techgig.com/expert-speak/IT-Security-Series-Session-6-Cloud-Security-for-e-commerce-banking-348 A Web Security Testing Program With Owasp Zap And Threadfix A Web Security Testing Program With Owasp Zap And Threadfix http://blog.denimgroup.com/denim_group/2013/04/webinar-recording-online-running-a-web-security-testing-program-with-owasp-zap- and-threadfix.html
P A G E 7T E S T D I G E S T © 2 0 1 4 M A R L A B S S O F T W A R E P V T L T D Rajesh Sundararajan . Sriharsha Kumar B R . Murali Dubutavalu . Varaprasadarao Yarra .

Empfohlen

Article by Marlabs Bangalore employee receives international recognition!
Article by Marlabs Bangalore employee receives international recognition!Article by Marlabs Bangalore employee receives international recognition!
Article by Marlabs Bangalore employee receives international recognition!Marlabs
 
Marlabs Corporate Fact Sheet 2013– An Award Winning Provider Of IT Services
Marlabs Corporate Fact Sheet 2013– An Award Winning Provider Of IT Services Marlabs Corporate Fact Sheet 2013– An Award Winning Provider Of IT Services
Marlabs Corporate Fact Sheet 2013– An Award Winning Provider Of IT Services Marlabs
 
Marlabs test digest Sep 2014
Marlabs test digest Sep 2014Marlabs test digest Sep 2014
Marlabs test digest Sep 2014Marlabs
 
Tutorial ranorex
Tutorial ranorexTutorial ranorex
Tutorial ranorexradikalzen
 
Marlabs - MarlaBuzz November
Marlabs - MarlaBuzz NovemberMarlabs - MarlaBuzz November
Marlabs - MarlaBuzz NovemberMarlabs
 
Marlabs corporate deck july 2018
Marlabs corporate deck july 2018Marlabs corporate deck july 2018
Marlabs corporate deck july 2018Marlabs
 
Embracing Containers and Microservices for Future Proof Application Moderniza...
Embracing Containers and Microservices for Future Proof Application Moderniza...Embracing Containers and Microservices for Future Proof Application Moderniza...
Embracing Containers and Microservices for Future Proof Application Moderniza...Marlabs
 
Dark Web and Threat Intelligence
Dark Web and Threat IntelligenceDark Web and Threat Intelligence
Dark Web and Threat IntelligenceMarlabs
 

Empfohlen

Article by Marlabs Bangalore employee receives international recognition!
Article by Marlabs Bangalore employee receives international recognition!Article by Marlabs Bangalore employee receives international recognition!
Article by Marlabs Bangalore employee receives international recognition!Marlabs
 
Marlabs Corporate Fact Sheet 2013– An Award Winning Provider Of IT Services
Marlabs Corporate Fact Sheet 2013– An Award Winning Provider Of IT Services Marlabs Corporate Fact Sheet 2013– An Award Winning Provider Of IT Services
Marlabs Corporate Fact Sheet 2013– An Award Winning Provider Of IT Services Marlabs
 
Marlabs test digest Sep 2014
Marlabs test digest Sep 2014Marlabs test digest Sep 2014
Marlabs test digest Sep 2014Marlabs
 
Tutorial ranorex
Tutorial ranorexTutorial ranorex
Tutorial ranorexradikalzen
 
Marlabs - MarlaBuzz November
Marlabs - MarlaBuzz NovemberMarlabs - MarlaBuzz November
Marlabs - MarlaBuzz NovemberMarlabs
 
Marlabs corporate deck july 2018
Marlabs corporate deck july 2018Marlabs corporate deck july 2018
Marlabs corporate deck july 2018Marlabs
 
Embracing Containers and Microservices for Future Proof Application Moderniza...
Embracing Containers and Microservices for Future Proof Application Moderniza...Embracing Containers and Microservices for Future Proof Application Moderniza...
Embracing Containers and Microservices for Future Proof Application Moderniza...Marlabs
 
Dark Web and Threat Intelligence
Dark Web and Threat IntelligenceDark Web and Threat Intelligence
Dark Web and Threat IntelligenceMarlabs
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceMarlabs
 
Cognitive Computing - A Primer
Cognitive Computing - A PrimerCognitive Computing - A Primer
Cognitive Computing - A PrimerMarlabs
 
The Internet of Things : Developing a Vision
The Internet of Things : Developing a VisionThe Internet of Things : Developing a Vision
The Internet of Things : Developing a VisionMarlabs
 
Mahesh Eswar, Chief Revenue Officer at Marlabs, speaks at NJTC event, 'Breakf...
Mahesh Eswar, Chief Revenue Officer at Marlabs, speaks at NJTC event, 'Breakf...Mahesh Eswar, Chief Revenue Officer at Marlabs, speaks at NJTC event, 'Breakf...
Mahesh Eswar, Chief Revenue Officer at Marlabs, speaks at NJTC event, 'Breakf...Marlabs
 
Marlabs Capabilities Overview: Energy and Utilities
Marlabs Capabilities Overview: Energy and UtilitiesMarlabs Capabilities Overview: Energy and Utilities
Marlabs Capabilities Overview: Energy and UtilitiesMarlabs
 
Marlabs Capabilities Overview: Telecom
Marlabs Capabilities Overview: Telecom Marlabs Capabilities Overview: Telecom
Marlabs Capabilities Overview: Telecom Marlabs
 
Marlabs Capability Overview: Insurance
Marlabs Capability Overview: Insurance Marlabs Capability Overview: Insurance
Marlabs Capability Overview: Insurance Marlabs
 
Marlabs Capabilities Overview: Education and Media - Publishing
Marlabs Capabilities Overview: Education and Media - Publishing Marlabs Capabilities Overview: Education and Media - Publishing
Marlabs Capabilities Overview: Education and Media - Publishing Marlabs
 
Marlabs Capabilities Overview: Banking and Finance
Marlabs Capabilities Overview: Banking and Finance Marlabs Capabilities Overview: Banking and Finance
Marlabs Capabilities Overview: Banking and Finance Marlabs
 
Marlabs Capabilities Overview: Airlines
Marlabs Capabilities Overview: AirlinesMarlabs Capabilities Overview: Airlines
Marlabs Capabilities Overview: AirlinesMarlabs
 
Marlabs Capabilities: Healthcare and Life Sciences
Marlabs Capabilities: Healthcare and Life SciencesMarlabs Capabilities: Healthcare and Life Sciences
Marlabs Capabilities: Healthcare and Life SciencesMarlabs
 
Marlabs Capabilities: Retail
Marlabs Capabilities: Retail Marlabs Capabilities: Retail
Marlabs Capabilities: Retail Marlabs
 
Marlabs Services Capabilities Overview
Marlabs Services Capabilities OverviewMarlabs Services Capabilities Overview
Marlabs Services Capabilities OverviewMarlabs
 
Marlabs Capability Overview: Web Development, Usability Engineering Services
Marlabs Capability Overview: Web Development, Usability Engineering ServicesMarlabs Capability Overview: Web Development, Usability Engineering Services
Marlabs Capability Overview: Web Development, Usability Engineering ServicesMarlabs
 
Marlabs Capabilities Overview: QA Services
Marlabs Capabilities Overview: QA ServicesMarlabs Capabilities Overview: QA Services
Marlabs Capabilities Overview: QA ServicesMarlabs
 
Marlabs Capabilities Overview: India Professional Services
Marlabs Capabilities Overview: India Professional ServicesMarlabs Capabilities Overview: India Professional Services
Marlabs Capabilities Overview: India Professional ServicesMarlabs
 
Marlabs Capabilities Overview: Infrastructure Services
Marlabs Capabilities Overview: Infrastructure ServicesMarlabs Capabilities Overview: Infrastructure Services
Marlabs Capabilities Overview: Infrastructure ServicesMarlabs
 
Marlabs Capabilities Overview: SMAC Services
Marlabs Capabilities Overview: SMAC ServicesMarlabs Capabilities Overview: SMAC Services
Marlabs Capabilities Overview: SMAC ServicesMarlabs
 
Marlabs Capabilities Overview: ODC Services
Marlabs Capabilities Overview: ODC Services Marlabs Capabilities Overview: ODC Services
Marlabs Capabilities Overview: ODC Services Marlabs
 
Marlabs Capabilities Overview: Microsoft Office 365
Marlabs Capabilities Overview: Microsoft Office 365Marlabs Capabilities Overview: Microsoft Office 365
Marlabs Capabilities Overview: Microsoft Office 365Marlabs
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 

Weitere ähnliche Inhalte

Mehr von Marlabs

Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceMarlabs
 
Cognitive Computing - A Primer
Cognitive Computing - A PrimerCognitive Computing - A Primer
Cognitive Computing - A PrimerMarlabs
 
The Internet of Things : Developing a Vision
The Internet of Things : Developing a VisionThe Internet of Things : Developing a Vision
The Internet of Things : Developing a VisionMarlabs
 
Mahesh Eswar, Chief Revenue Officer at Marlabs, speaks at NJTC event, 'Breakf...
Mahesh Eswar, Chief Revenue Officer at Marlabs, speaks at NJTC event, 'Breakf...Mahesh Eswar, Chief Revenue Officer at Marlabs, speaks at NJTC event, 'Breakf...
Mahesh Eswar, Chief Revenue Officer at Marlabs, speaks at NJTC event, 'Breakf...Marlabs
 
Marlabs Capabilities Overview: Energy and Utilities
Marlabs Capabilities Overview: Energy and UtilitiesMarlabs Capabilities Overview: Energy and Utilities
Marlabs Capabilities Overview: Energy and UtilitiesMarlabs
 
Marlabs Capabilities Overview: Telecom
Marlabs Capabilities Overview: Telecom Marlabs Capabilities Overview: Telecom
Marlabs Capabilities Overview: Telecom Marlabs
 
Marlabs Capability Overview: Insurance
Marlabs Capability Overview: Insurance Marlabs Capability Overview: Insurance
Marlabs Capability Overview: Insurance Marlabs
 
Marlabs Capabilities Overview: Education and Media - Publishing
Marlabs Capabilities Overview: Education and Media - Publishing Marlabs Capabilities Overview: Education and Media - Publishing
Marlabs Capabilities Overview: Education and Media - Publishing Marlabs
 
Marlabs Capabilities Overview: Banking and Finance
Marlabs Capabilities Overview: Banking and Finance Marlabs Capabilities Overview: Banking and Finance
Marlabs Capabilities Overview: Banking and Finance Marlabs
 
Marlabs Capabilities Overview: Airlines
Marlabs Capabilities Overview: AirlinesMarlabs Capabilities Overview: Airlines
Marlabs Capabilities Overview: AirlinesMarlabs
 
Marlabs Capabilities: Healthcare and Life Sciences
Marlabs Capabilities: Healthcare and Life SciencesMarlabs Capabilities: Healthcare and Life Sciences
Marlabs Capabilities: Healthcare and Life SciencesMarlabs
 
Marlabs Capabilities: Retail
Marlabs Capabilities: Retail Marlabs Capabilities: Retail
Marlabs Capabilities: Retail Marlabs
 
Marlabs Services Capabilities Overview
Marlabs Services Capabilities OverviewMarlabs Services Capabilities Overview
Marlabs Services Capabilities OverviewMarlabs
 
Marlabs Capability Overview: Web Development, Usability Engineering Services
Marlabs Capability Overview: Web Development, Usability Engineering ServicesMarlabs Capability Overview: Web Development, Usability Engineering Services
Marlabs Capability Overview: Web Development, Usability Engineering ServicesMarlabs
 
Marlabs Capabilities Overview: QA Services
Marlabs Capabilities Overview: QA ServicesMarlabs Capabilities Overview: QA Services
Marlabs Capabilities Overview: QA ServicesMarlabs
 
Marlabs Capabilities Overview: India Professional Services
Marlabs Capabilities Overview: India Professional ServicesMarlabs Capabilities Overview: India Professional Services
Marlabs Capabilities Overview: India Professional ServicesMarlabs
 
Marlabs Capabilities Overview: Infrastructure Services
Marlabs Capabilities Overview: Infrastructure ServicesMarlabs Capabilities Overview: Infrastructure Services
Marlabs Capabilities Overview: Infrastructure ServicesMarlabs
 
Marlabs Capabilities Overview: SMAC Services
Marlabs Capabilities Overview: SMAC ServicesMarlabs Capabilities Overview: SMAC Services
Marlabs Capabilities Overview: SMAC ServicesMarlabs
 
Marlabs Capabilities Overview: ODC Services
Marlabs Capabilities Overview: ODC Services Marlabs Capabilities Overview: ODC Services
Marlabs Capabilities Overview: ODC Services Marlabs
 
Marlabs Capabilities Overview: Microsoft Office 365
Marlabs Capabilities Overview: Microsoft Office 365Marlabs Capabilities Overview: Microsoft Office 365
Marlabs Capabilities Overview: Microsoft Office 365Marlabs
 

Mehr von Marlabs (20)

Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Cognitive Computing - A Primer
Cognitive Computing - A PrimerCognitive Computing - A Primer
Cognitive Computing - A Primer
 
The Internet of Things : Developing a Vision
The Internet of Things : Developing a VisionThe Internet of Things : Developing a Vision
The Internet of Things : Developing a Vision
 
Mahesh Eswar, Chief Revenue Officer at Marlabs, speaks at NJTC event, 'Breakf...
Mahesh Eswar, Chief Revenue Officer at Marlabs, speaks at NJTC event, 'Breakf...Mahesh Eswar, Chief Revenue Officer at Marlabs, speaks at NJTC event, 'Breakf...
Mahesh Eswar, Chief Revenue Officer at Marlabs, speaks at NJTC event, 'Breakf...
 
Marlabs Capabilities Overview: Energy and Utilities
Marlabs Capabilities Overview: Energy and UtilitiesMarlabs Capabilities Overview: Energy and Utilities
Marlabs Capabilities Overview: Energy and Utilities
 
Marlabs Capabilities Overview: Telecom
Marlabs Capabilities Overview: Telecom Marlabs Capabilities Overview: Telecom
Marlabs Capabilities Overview: Telecom
 
Marlabs Capability Overview: Insurance
Marlabs Capability Overview: Insurance Marlabs Capability Overview: Insurance
Marlabs Capability Overview: Insurance
 
Marlabs Capabilities Overview: Education and Media - Publishing
Marlabs Capabilities Overview: Education and Media - Publishing Marlabs Capabilities Overview: Education and Media - Publishing
Marlabs Capabilities Overview: Education and Media - Publishing
 
Marlabs Capabilities Overview: Banking and Finance
Marlabs Capabilities Overview: Banking and Finance Marlabs Capabilities Overview: Banking and Finance
Marlabs Capabilities Overview: Banking and Finance
 
Marlabs Capabilities Overview: Airlines
Marlabs Capabilities Overview: AirlinesMarlabs Capabilities Overview: Airlines
Marlabs Capabilities Overview: Airlines
 
Marlabs Capabilities: Healthcare and Life Sciences
Marlabs Capabilities: Healthcare and Life SciencesMarlabs Capabilities: Healthcare and Life Sciences
Marlabs Capabilities: Healthcare and Life Sciences
 
Marlabs Capabilities: Retail
Marlabs Capabilities: Retail Marlabs Capabilities: Retail
Marlabs Capabilities: Retail
 
Marlabs Services Capabilities Overview
Marlabs Services Capabilities OverviewMarlabs Services Capabilities Overview
Marlabs Services Capabilities Overview
 
Marlabs Capability Overview: Web Development, Usability Engineering Services
Marlabs Capability Overview: Web Development, Usability Engineering ServicesMarlabs Capability Overview: Web Development, Usability Engineering Services
Marlabs Capability Overview: Web Development, Usability Engineering Services
 
Marlabs Capabilities Overview: QA Services
Marlabs Capabilities Overview: QA ServicesMarlabs Capabilities Overview: QA Services
Marlabs Capabilities Overview: QA Services
 
Marlabs Capabilities Overview: India Professional Services
Marlabs Capabilities Overview: India Professional ServicesMarlabs Capabilities Overview: India Professional Services
Marlabs Capabilities Overview: India Professional Services
 
Marlabs Capabilities Overview: Infrastructure Services
Marlabs Capabilities Overview: Infrastructure ServicesMarlabs Capabilities Overview: Infrastructure Services
Marlabs Capabilities Overview: Infrastructure Services
 
Marlabs Capabilities Overview: SMAC Services
Marlabs Capabilities Overview: SMAC ServicesMarlabs Capabilities Overview: SMAC Services
Marlabs Capabilities Overview: SMAC Services
 
Marlabs Capabilities Overview: ODC Services
Marlabs Capabilities Overview: ODC Services Marlabs Capabilities Overview: ODC Services
Marlabs Capabilities Overview: ODC Services
 
Marlabs Capabilities Overview: Microsoft Office 365
Marlabs Capabilities Overview: Microsoft Office 365Marlabs Capabilities Overview: Microsoft Office 365
Marlabs Capabilities Overview: Microsoft Office 365
 

Kürzlich hochgeladen

Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 

Kürzlich hochgeladen (20)

Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 

Marlabs Test Digest January 2014

  • 1. January 2014 Marlab’s I N S I D E T H I S I S S U E : Security Testing : An Overview 2 Marlabs Testing Updates 6 Quality News & Views 7 Know Your Mate 8 Cartoon Space 8 We look forward to collaboratively expand the growth of Testing services at Marlabs and make 2014 a successful year for all of us. Volume V
  • 2. T E S T D I G E S T © 2 0 1 4 M A R L A B S S O F T W A R E P V T L T D P A G E 2 In 2009, Heartland Payment Systems, Inc., A leading provider of debit, prepaid, and credit card processing company which processes more than 11 million transactions a day and more than $120 billion transactions a year acknowledged that it had been the target of a data breach with 134 mil- lion credit and debit cards exposed to fraud. A group of Hackers used most commonly used SQL injection to install spyware on Heartland's data systems and stole the credit card data. It could have been avoided if proper and complete security testing had been performed on the application. It is clear that attacks targeting web applications are on the rise, as stories like these are all too common. Common flaws such as SQL injection, cross-site scripting, poor input validation and broken authentication conditions make it possible for attackers to easily infiltrate these applications to disrupt application availability and destroy or steal sensitive and private information like Social Security numbers and credit card numbers. Also, vul- nerable web applications not only allow these miscreants to steal and manipulate information within that application, but also to use it as an entry point to the corporate network and back-end applications. In order to understand security testing, we will have to first understand what security is: What is Security? Security is a set of measures to protect an application against unforeseen actions that cause it to stop functioning or being exploited. Unforeseen actions can be either intentional or unintentional. What is Security testing? Security Testing ensures that system and applications in an organization are free from any loopholes that may cause a big loss. Security testing of any system is about finding all possible loopholes and weakness- es of the system which might result into loss of information at the hands of the employees or outsiders of the Organization. Ashwani Singha
  • 3. The goal of security testing is to identify threats in the system and measure its potential vulnerabilities. Security testing of any applications or software should cover the six basic security concepts: 1. Confidentiality: A security measure which protects against the disclosure of information to parties other than the intended recipient. 2. Integrity: A measure intended to allow the receiver to determine that the information which it is providing is correct. 3. Authentication: The process of establishing the identity of the user. Authentication can take many forms including but not limited to: passwords, biometrics, and radio frequency, identification, etc. 4. Authorization: The process of determining that a requester is allowed to receive a service or perform an operation. 5. Availability: Assuring information and communications services will be ready for use when expected. Information must be kept available to authorized persons when they need it. 6. Non-repudiation: A measure intended to prevent the later denial that an action happened, or a com- munication that took place etc. In communication terms this often involves the interchange of authen- tication information combined with some form of provable time stamp. Integration of security processes with the SDLC: One of the most common questions is when to perform Security Testing? Most of the people believe that effective way to perform security testing is , when application is completely developed and de- ployed on production like environment (often referred as Staging or Pre-Prod environment). But it is more effective when implemented during every phase of SDLC. It is always agreed, that cost will be more, if we postpone security testing after software implementation phase or after deployment. So, it is necessary to involve security testing in SDLC life cycle in the earlier phases. Let’s look into the corre- sponding Security processes to be adopted for every phase in SDLC P A G E 3 continuation of ‘Security Testing ..’ T E S T D I G E S T © 2 0 1 4 M A R L A B S S O F T W A R E P V T L T D SDLC Phases Security Processes Requirements Security analysis for requirements and check abuse/misuse cases Design Security risk analysis for designing. Development of test plan including security tests Coding and Unit Testing Static and Dynamic Testing and Security white box testing Integration Testing Black Box Testing System Testing Black Box Testing and Vulnerability scanning Implementation Penetration Testing, Vulnerability Scanning Support Impact analysis of Patches
  • 4. P A G E 4T E S T D I G E S T © 2 0 1 4 M A R L A B S S O F T W A R E P V T L T D Application security Application Security is usually the use of software, hardware, and procedural methods to protect applications from external threats. Application Security Testing Objective The major objectives of the Application Security Testing are to: 1. Identify and understand the existing vulnerabilities 2. Provide recommendations and corrective actions for improvement 3. Examine and analyze the safeguards of the system and the operational environment How to Approach Application Security Testing : There are many ways to perform Application security testing but a key approach is Web Application Penetra- tion Testing (WAPT). WAPT is a legally authorized, non-functional assessment, carried out to identify loop- holes or weaknesses, otherwise known as vulnerabilities. These vulnerabilities, exploited by a malicious user (attacker/hacker), may affect the confidentiality, integrity, availability of the web application and/or infor- mation distributed by it. Some of the loopholes or vulnerabilities plaguing web applications are SQL Injection (Structured Query Language Injection), XSS (Cross Site Scripting), CSRF (Cross Site Request Forgery), Remote File Include, etc. Apart from these, vulnerabilities may exist in the underlying infrastructure like Operation System, Web Server, Application Server, Database Server, etc. Thereby, WAPT aims at identifying and re- porting the presence of these vulnerabilities. Benefits of WAPT : 1. Proactive protection of information assets against hacking and unauthorized intrusions 2. Provides an insight into the current security posture of the given web application 3. Provides a hacker’s eye view of the web application 4. Aids in mitigating costs improving goodwill and brand value WAPT Methodology Overview : WAPT is carried out in a phased manner in order to ensure optimum coverage and at the same time simulate the fluid actions of a real time hacker. The following figure depicts the flow: continuation of ‘Security Testing ..’ “There are 10 types of people in this world: those who un- derstand binary and those who don’t. “ -- Anonymous
  • 5. P A G E 5T E S T D I G E S T © 2 0 1 4 M A R L A B S S O F T W A R E P V T L T D There are five phases to perform WAPT on the Application under testing. Phase 1:- Information Gathering This is the most critical phase in the methodology as all further phases depend on this. As a part of this phase, information about the target web application collected. It includes detail of all soft- ware, Hardware, server, end users and information provided by the application Phase 2:- Planning and Analysis All the data gathered in the above phase, is converted into usable information, in the form of a customized test plan. An important step in this phase is to prepare a checklist of tasks or areas (URLs) or applicable vulnerabilities to cover. 0 Phase 3:- Vulnerability Assessment This phase can also be dubbed as active information gathering phase. Various automated scans run against the target application and its underlying infrastructure (server(s) and network) to get the list of all such areas within application which can be exploited by hackers or vulnerable to malicious attacks. There are many vulnerability assessment tools like Nessus and SARA which can be used to perform vulnera- bility Assessment. Phase 4:- Attack/Penetration It is under this phase that the actions of a web application hacker are emulated. Based on the information gathered and analyzed in previous phases and following the customized test plan, attacks are carried out to identify the presence of vulnerabilities in the application. The techniques and tools used should be the same as those used by a real hacker. This is done in order to gain a hacker’s eye view of the application. There are many automated tools which can be used to perform Pen test. In most of the cases single tools does not fulfill the entire requirement so a combi- nation of tool is required to get the maximum result. Web- Scarab, NMAP, BURP Suite, IBM App Scan, Acunetix Vulnera- bility Scanner, HP Web Inspect etc. are few tools which one can use to perform Pen test. Phase 5:- Reporting At the end of the Attack/Penetration phase, a comprehensive report prepared detailing each finding, assign- ing a suitable severity level to each, delineating the steps necessary to reproduce the vulnerability, and sug- gesting recommendations to address every vulnerability found during assessment. Top 10 list of web Application security threats The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization focused on improving the security of software. Most of the companies who do perform security testing fol- low OWASP model and top threats to validate their application. Based on the ongoing trend and attacks in web world they prepare top 10 list of web Application security threat every 3 years. On June 6, 2013, OWASP foundation released the official updated Top 10 web vulnerabilities list for year 2013 onwards. These top ten threats should always be considered when performing Security testing on any web application. For the current list of top 10 threats, please refer to https://www.owasp.org/index.php/Top_10_2013-Top_10 continuation of ‘Security Testing ..’ "Everything is theoretically impossible, until it is done.” – Robert A. Heinlein
  • 6. P A G E 6 Website Security Webinars & Presentations This takes to a collection of presentations and webinars focused on Web App Security https://www.whitehatsec.com/resource/presentation.html Testing Principles through Story Telling Understanding the testing principles through story telling helps in understanding the principles through stories. http://www.techgig.com/webinars/Testing-Principles-through-Story-Telling-460 Testing @ Cross Roads Evolution of Testing thru the evolution of disruptive & emerging technologies http://www.techgig.com/webinars/Testing-Cross-Roads-457 Webinars >> Automated Security Testing of web applications using OWASP Zed Attack Proxy This doc talks about the security testing tool ZAP https://blog.codecentric.de/en/2013/10/automated-security-testing-web-applications-using-owasp-zed-attack-proxy/ SANS Mobile Application Security Whitepaper This talks about the current state of organizational awareness regarding mobile application risk as well as how enterprises are mitigating this risk https://info.veracode.com/whitepaper-sans-mobile-application-security.html A Strategic Approach to Web Application Security This white paper breaks down the total cost factors of Web application security in specific risk categories associated with successful attacks https://www.whitehatsec.com/resource/whitepapers.html SQL Injection Cheat Sheet Find out how attackers exploit SQL flaws and how to fix and prevent SQL Injection vulnerabilities. https://info.veracode.com/sql-injection-cheat-sheet.html ThreadFix Open Source Software Vulnerability Management Tool This doc talks about the security testing tool ThredaFix http://www.denimgroup.com/resources-threadfix/ Cyber-Security Risks in Public Companies Study of Software Related Cyber-Security Risks in Public Companies https://info.veracode.com/state-of-software-security-volume-4-supplement.html eBooks , Whitepapers & Columns >> T E S T D I G E S T © 2 0 1 4 M A R L A B S S O F T W A R E P V T L T D Cloud Security for e-commerce & banking Ways to implement security on cloud environment http://www.techgig.com/expert-speak/IT-Security-Series-Session-6-Cloud-Security-for-e-commerce-banking-348 A Web Security Testing Program With Owasp Zap And Threadfix A Web Security Testing Program With Owasp Zap And Threadfix http://blog.denimgroup.com/denim_group/2013/04/webinar-recording-online-running-a-web-security-testing-program-with-owasp-zap- and-threadfix.html
  • 7. P A G E 7T E S T D I G E S T © 2 0 1 4 M A R L A B S S O F T W A R E P V T L T D Rajesh Sundararajan . Sriharsha Kumar B R . Murali Dubutavalu . Varaprasadarao Yarra .