Security is a component of quality, so QA should perform security testing, says Michael Gavin with Galen Schreck and Thomas Powell
Attackers rely on automated testing tools and technical expertise
Applications are business enablers, allowing people and programs to access the data and information they need to perform their work. Because that information is often the target of an attacker, applications must be designed and implemented based on security requirements as much as they are based on functionality, performance, usability and quality requirements.
Unfortunately, many of the applications deployed today were created without security requirements, or with security requirements based on assumptions that are no longer valid. To protect an environment running such software, an organisation needs mechanisms that find security issues in its deployed applications and prevent those issues from being exploited. There are some automated means of securing applications. Although the existing tools in both categories are promising, they are not sufficient without significant operator expertise.
* Security testing and assessment tools can help find security issues. Application scanning tools can find many problems and are a good first step in solving security issues. Attackers tend to use proxy tools and automated penetration-testing tools; if an organisation’s data is at risk of being attacked, it should use these tools as well.
* Application layer firewalls can prevent exploitation of software security oversights. Application firewalls are complementary to testing tools, and are especially needed because your applications rely on software that you didn’t write, such as Web servers, database servers, and operating system libraries. However, it is better to find and eliminate the vulnerabilities you can than it is to rely on additional security tools to prevent them from being exploited.
Train or hire your own trusted experts to attack your applications
To beat attackers to the punch, organisations need to use the same tools that they use and obtain the same expertise that they have.
* Bring in hired guns for sensitive applications. You should hire experts to test the applications that provide access to your high-value assets; fortunately, such expertise is available. Companies that specialise in application security testing include Security Innovation and WhiteHat Security. Other firms you should consider engaging include FishNet Security, Neohapsis, Solutionary, @stake (acquired by Symantec), Foundstone (acquired by McAfee), and any of the big four consulting firms (Deloitte, KPMG, Ernst & Young, and PricewaterhouseCoopers).
* Teach QA staff to think like attackers, and provide the tools to carry out those attacks. Outsourcing the testing of all your applications is likely to be a very costly proposition. The better option is to outsource only the testing of critical applications, and simultaneously bring the required expertise in-house to test the remaining applications. Although security issues should be addressed throughout the application development lifecycle, you need to start in one place. It makes the most sense initially to bring this expertise into your QA organisation.
Once trained and experienced at testing an organisation’s apps, QA testers can evaluate and determine the best testing tools to use in that environment. Application scanning tools include Application Security’s AppDetective, Cenzic’s Hailstorm, the open source Nikto project, SPI Dynamics’ WebInspect, and Watchfire’s AppScan. Proxy security testing tools include Immunity’s SPIKE Proxy, Maven Security Consulting’s Achilles, and the open source Paros Proxy. Automated penetration testing tools include Core Security Technology’s CORE IMPACT, Immunity’s CANVAS, and the open source Metasploit project. Additional advanced testing tools for researchers, hackers and experienced security testers include reverse engineering tools such as decompilers, disassemblers, debuggers and hex editors.
Awareness of software security issues gained some traction in 2005, and the new wisdom is for enterprises to test applications for security in addition to functionality, performance and usability prior to deployment. If you have never addressed the security of your applications, the best place to start is where the attacker will by probing and testing applications for security problems.
There are three main classes of software security testing tools: application scanning tools, proxy-based tools, and automated penetration-testing tools. Unfortunately, these tools are difficult to compare in a meaningful way, and their use requires expertise in security, testing, and the technologies used by the application. Enterprises will therefore need to either outsource this testing or train quality assurance staff to be security testers. Testing application security will allow organisations to fix or minimise problems before attackers can find and exploit them.
What it means: bring your adversary’s expertise in-house
Fancy tools aren’t enough. Automated testing tools can’t replace smart QA people. Just as attackers use tools and their own expertise, you need to combine tools and expertise to fight them.
* Fancy tools aren’t enough. Automated testing tools can’t replace smart QA people. Just as attackers use tools and their own expertise, you need to combine tools and expertise to fight them.
* The playing field can be levelled. Attackers have had an advantage because they only have to find one exploitable vulnerability to win. You can use their tools and techniques to find those vulnerabilities first. The attacker’s job is now more difficult because he lacks knowledge of your internal systems, and upon finding a weakness might still need to create an exploit for it. By learning his tricks and acquiring and using the same tools before deploying new applications, you can beat the attacker at his own game.
1 Application firewalls are difficult to compare in a meaningful way. The Web Application Security Consortium published its Web Application Firewall Evaluation Criteria, but it really is a first-draft document that needs much more work before it will be truly useful. Source: Web Application Firewall Evaluation Criteria, Web Application Security Consortium, January 14, 2006. Forrester has recently published research on the state of application firewalls in enterprises. See the January 3, 2006 Tech Choices’ Application Firewalls—are they worth the investment?
2 Sources of information for gaining the required expertise include James Whitaker and Herbert Thompson, How to Break Software Security, Addison Wesley, 2004; Greg Hoglund and Gary McGraw, Exploiting Software: How to Break Code, Addison Wesley Professional, 2004; and Arian Evans, Tools of the Trade:
AppSec Assessment Tools, The OWASP Foundation, April 2005.
For more information, contact Forrester India Country Manager Sudin Apte on firstname.lastname@example.org or phone 020 25674390 / 91.