Difference between revisions of "Bxp Security and Testing"

Revision as of 14:50, 11 November 2014

1 Introduction

Security and security testing is a complex and interconnected area that is constantly changing.

As part of the development and operation of bxp software (bxp) our platform is continually tested and reviewed. We group these concepts up to help our clients follow how our rigorous security and development approach is managed.

2 Concepts

2.1 Website archetype

A website will have a prime archetype:

• Software as a Service solution
• Reference Information Site
• Shop Site
• Game Site
• Interactive Tool facilitating one / all of the previous activities

2.2 Software Testing

In software testing there are a number of types of test and this list is ever increasing:

• Module testing

• Integration testing
  • Top-Down Integration testing
  • Bottom-Up Integration testing

• Systems testing
  • Recovery testing
  • Security testing
  • Stress testing

• Acceptance testing
  • Alpha testing
  • Beta testing
  • Release testing

3 Testing Approaches

The archetype will influence the approach and content of the various tests.

bxp is tested under all of the headings above and includes industry compliance and standards checks to constantly improve.

The next challenge about web based solutions is that they are constantly changing. On the web new ways of defeating security are found hourly! So we attempt to be constantly kept up to date by being active members of security communities, data protection circles and other communities.

4 Drill down on Security Testing

The testing below includes once off and ongoing testing. Security testing of bxp is managed internally in All n One by the Security Department. Client systems security management falls under the remit of the System Champion, nominated by the client at the start of the contract.

• Server/application fingerprint through specially crafted requests;
• Spidering;
• Search engines advanced features (aka Google Dorking);
• Analysis of error messages;
• File extension handling;
• SSL fingerprinting.

4.1 Business Logic Testing

Tests the application logic, in order to ensure that it does not contains vulnerabilities that might be exploited by an attacker to gain an advantage. This includes Web Services & AJAX Testing which are customised to client requirement.

4.2 Authentication Testing

Analyse the authentication process in detail and will check whether it is possible for an attacker to circumvent it. Techniques used included:

• default/guessable passwords;
• Brute forcing;
• Authentication bypass;
• Directory traversal;
• Exploitation of 'remember password' features;
• Reviewing Session Management (login/logout);
• Management of Browser cache.

4.3 Session Management Testing

Assess the robustness of the session management against a broad spectrum of attacks including :

• Analysis of the Session Management Implementation;
• Cookie and Session Token Manipulation;
• Exposed Session Variables;
• Cross-site Request Forgery Attacks;
• HTTP-based attacks (e.g.: HTTP Splitting).

4.4 Input Validation Testing

Checking whether it is possible to inject unexpected and dangerous data on to the site including by:

• Cross-site Scripting;
• Cross-site Tracing;
• SQL Injection;
• LDAP/ORM/XML/SSI/Xpath Injection;
• OS Command Injection;
• Buffer Overflow.

4.5 Denial of Service

• Packet flooding at the application level
• Locking user accounts,
• Filling up disk space,
• Exploiting faulty object allocation.

5 Security Audits of bxp software

Objectiveness is the single most important part of an audit. If All n One retain a company to audit us, the objectivity can always be questioned, therefore it is our clients who must retain an auditor.

All n One's testing is security audit driven as we have found this provides more objective measurable goals.