1 Introduction

Security and security testing is a complex and interconnected area that is constantly changing.

As part of the development and operation of bxp software (bxp) our platform is continually tested and reviewed. We group these concepts up to help our clients follow how our rigorous security and development approach is managed.

2 Concepts

2.1 Website archetype

A website will have a prime archetype:

• Software as a Service solution
• Reference Information Site
• Shop Site
• Game Site
• Interactive Tool facilitating one / all of the previous activities

You then design your testing around that type.

2.2 Software Testing

In software testing there are a number of types of test and this list is ever increasing:

• Module testing

• Integration testing
  • Top-Down Integration testing
  • Bottom-Up Integration testing

• Systems testing
  • Recovery testing
  • Security testing
  • Stress testing

• Acceptance testing
  • Alpha testing
  • Beta testing
  • Release testing

2.3 Testing Approaches

The archetype will influence the approach and content of the various tests.

bxp is tested under all of the headings above and includes industry compliance and standards checks to constantly improve.

The next challenge about web based solutions is that they are constantly changing. On the web new ways of defeating security are found hourly! So we attempt to be constantly kept up to date by being active members of security communities, data protection circles and other communities.

3 Drill down on Security Testing

3.1 Overview

Security testing of bxp is managed internally in All n One by the Security Department.

Client systems security management falls under the remit of the System Champion, nominated by the client at the start of the contract.

There are many industry titles given to the types of testing performed:

• Server/application fingerprint through specially crafted requests;
• Spidering;
• Search engines advanced features (aka Google Dorking);
• Analysis of error messages;
• File extension handling;
• SSL fingerprinting.

To make security clearer we perform testing under the following major headings

3.2 Business Logic Testing

Tests the application logic, in order to ensure that it does not contains vulnerabilities that might be exploited by an attacker to gain an advantage. This includes Web Services & AJAX Testing which are customised to client requirement.

3.3 Authentication Testing

Analyse the authentication process in detail and will check whether it is possible for an attacker to circumvent it. Techniques used included:

• default/guessable passwords
• Brute forcing
• Authentication bypass
• Directory traversal
• Exploitation of 'remember password' features
• Reviewing Session Management (login/logout)
• Management of Browser cache

3.4 Session Management Testing

Assess the robustness of the session management against a broad spectrum of attacks including :

• Analysis of the Session Management Implementation;
• Cookie and Session Token Manipulation;
• Exposed Session Variables;
• Cross-site Request Forgery Attacks;
• HTTP-based attacks (e.g.: HTTP Splitting).

3.5 Input Validation Testing

Checking whether it is possible to inject unexpected and dangerous data on to the site including by:

• Cross-site Scripting;
• Cross-site Tracing;
• SQL Injection;
• LDAP/ORM/XML/SSI/Xpath Injection;
• OS Command Injection;
• Buffer Overflow.

3.6 Denial of Service

• Packet flooding at the application level
• Locking user accounts,
• Filling up disk space,
• Exploiting faulty object allocation.

3.7 Secure File Uploads

bxp software offers a service for it's clients to upload their own files and documents to contact history or the e-course module. In order to provide this as a secure service any file uploaded to bxp will have to pass through an AVG file server edition virus scan.

This has been tested by using a virus test file (eicar - test virus file. http://www.eicar.org/86-0-Intended-use.html)

4 Toolset

In order to perform these tests, specialised tools are required. There are many choices in this area and many different providers who can supply solutions.

If a collective term for breaking into a system is Penetration Testing (pentest) as defined in http://en.wikipedia.org/wiki/Penetration_test then a combination of tools is required.

There are independent testing / solution providers:

• Qualys : Qualys Express Lite, Express, Enterprise ; https://www.qualys.com/
• Tenable : Nessus ; http://www.tenable.com/
• Rapid7 : Nexpose ; http://www.rapid7.com/products/nexpose/
• Tripwire : Tripwire ; http://www.tripwire.com/

Tools themselves include

• Qualys : https://www.qualys.com/qualysguard-subscription-plans/
• Nexpose : http://www.rapid7.com/products/nexpose/
• Metaspoilt : http://www.rapid7.com/products/metasploit/
• Wireshark : https://www.wireshark.org/
• Meterpreter: http://www.offensive-security.com/metasploit-unleashed/Meterpreter_Basics
• Burp : http://portswigger.net/burp/
• OpenVAS : http://www.openvas.org/

Getting the tools can be most usefully obtained through testing suites

• Kali : https://www.kali.org/
• Qualys : https://www.qualys.com/

Each of these tools and tool sets operate under a number of general headings.

• Exploitation Tools
• Forensics Tools
• Hardware Hacking
• Information Gathering
• Maintaining Access
• Password Attacks
• Reporting Tools
• Reverse Engineering
• Sniffing & Spoofing
• Stress Testing
• Vulnerability Analysis
• Web Applications
• Wireless Attacks

All n One use the Kali Toolset as the basis for all security testing http://tools.kali.org/tools-listing The Kali toolset provides a number of tools under each of the headings above.

Infosys.com provide a useful commentary on SaaS testing. http://www.infosys.com/IT-services/independent-validation-testing-services/white-papers/Documents/saas-testing.pdf

Their three primary grouping areas for testing are

• Application
• Network
• Infrastructure

With these headings in mind, we can roughly group the testing

• General
  • Information Gathering
  • Reporting Tools

• Application
  • Password Attacks
  • Maintaining Access
  • Reverse Engineering
  • Stress Testing
  • Vulnerability Analysis
  • Web Applications

• Network
  • Password Attacks
  • Maintaining Access
  • Sniffing & Spoofing
  • Stress Testing
  • Vulnerability Analysis

• Infrastructure
  • Password Attacks
  • Exploitation Tools
  • Forensics Tools
  • Hardware Hacking
  • Maintaining Access
  • Stress Testing
  • Vulnerability Analysis
  • Wireless Attacks

Combined with these we must include processes and procedures for how security testing is also addressed. For this reason the ENISA framework is also used as a benchmark for ensuring general operational processes and procedures are in place to cover security.

The output of these tests are performed on a four weekly iterative cycle and prepared as an internal report.

For tracking and addressing of identified security issues, these are managed through the Contact, Content, Frameworks, Infrastructure and Security departments work queue ticketing system which All n One employ.

5 Security Audits of bxp software

Objectiveness is the single most important part of an audit. If All n One retain a company to audit us, the objectivity can always be questioned, therefore it is our clients who must retain an auditor.

All n One's testing is security audit driven as we have found this provides more objective measurable goals.