Significance of Security Testing

Table of Contents

1

1

2

3

4

 

1. Abstract

Software security testing is an essential means which helps to assure that the software is trustworthy and secure. It is an idea which has been brought from engineering software to check whether it keeps on working properly under malicious outbreaks. Software security testing process is lengthy, complex and costly. It is because several types of bugs are escaped in testing on a routine basis. The application might perform some additional, unspecified task in the process while effectively behaving as indicated by the requirements. Thus, to build secure software as well as meet budget and time constraints it is essential to emphasis testing effort in areas that have a larger number of security vulnerabilities. Therefore, vulnerabilities are classified and various taxonomies have been created by computer security researchers. Along with the taxonomies, there are also various methods and techniques which helps to test the commonly appearing test issues in software. These techniques generally include generic tools, fuzzing, checklists of unpredictable depth and quality, vulnerability scanners, hacking or hiring hackers etc.

This study focuses on the introduction, importance, vulnerabilities, approaches and methods of security testing. Articles related to these components were chosen. They were then evaluated on the basis of security testing approaches.

Furthermore, the study explores the flaws and vulnerabilities of security testing and figures out the importance of security testing. Moreover, the research also highlights various methods and techniques of security testing. In the end, compiling all the articles research questions like what is the importance of security testing and what are the approaches to security testing are answered.

2. Introduction

Security is one of the many aspects of software quality. Software turns out to be more complicated, with the wide utilization of computer which likewise increase software security problems. Software security is the ability of software to provide required function when it is attacked as defined by the authors (Tian-yang, Yin-sheng & You-yuan, 2010). There are few common types of security testing such as vulnerability assessments, penetration tests, runtime testing and code review. New vulnerabilities are being discovered with the coming of internet age. They are existing because of many reasons: poor development practices, ignoring security policies during design, incorrect configurations, improper initialization, inadequate testing due to deadlines imposed by financial and marketing needs etc. (Preuveneers, Berbers & Bhatti, 2008).

The significance of security in the life cycle from network security, to system security and application security is currently recognized by the companies and organizations asa coordinated end-to-end procedure stated by (Felderer, Büchler, Johns, Brucker, Breu & Pretschner, 2016). Therefore, in systems to discover which types of vulnerabilities are dominant, security vulnerabilities are categorized so as to focus the type of testing that would be needed to find them. On the basis of these classifications, various taxonomies are developed by computer security researchers. According to the author (AL-Ghamdi, 2013), at the requirements level security should be explicit and must cover both overt functional security and emergent individualities. One great approach to cover that is using abuse cases which portrays the system’s behaviors under attack.

Two strategies that must be incorporated by security testing are : testing security functionality using standard functional testing techniques and risk based security testing based on attack patterns and threat models. There are normally two categories of vulnerabilities: bugs at the execution level and flaws at the design level (Tondel, Jaatun & Meland, 2008).

The research done in this article evaluates the security testing approaches and the methods in order to detect the flaws and vulnerabilities of security in the software. All this approaches and methods of security testing will help to make the software more secure, flawless and bug-free. Thus, the goal of this study is to find out the significance of security testing in today’s fastest growing internet age and to introduce developers with an esteemed importance of system’s security.

The literature review is divided into 4 sections. The first section gives the overview of security testing. The next sections answer the research questions like what is the importance of security testing and what are the various approaches to security testing.

3. Literature Review

1. Importance of Security Testing

In contrast with simple software testing process, providing security to a system is exceptionally unpredictable. This is because simple software testing only shows the presence of errors but fails to show the absence of certain types of errors which is ultimately achieved by security testing. As per the author (Khatri, 2014), there are two essential things which should be checked by the system: First, validity of implemented security measures. Second, system’s behavior when it is attacked by attackers. The loopholes or vulnerabilities in system may cause failure of security functions of system eventually leading to great losses to organization. So, it is extremely fundamental to incorporate testing approaches for data protection.

1. Security Vulnerabilities

There are certain types of errors which are termed as security vulnerabilities, flaws or exploits. The authors (Tian-yang, Yin-sheng & You-yuan, 2010) states that there are certain flaws present in system design, implementation, operation, management which are referred as vulnerabilities. As per (Türpe, 2008), in order to target testing it is important to understand the roots of vulnerabilities and these vulnerabilities vary from system to system.

These exploits are broadly categorized on their similarities by (Preuveneers, Berbers & Bhatti, 2008) as follows:

• Environment variables: Information that does not change across executions of a program is encapsulated by such variables.
• Buffer Overflows: A memory stack is overflowed which leads the program to execute the data after the last address in the stack, generally an attacker gets the full control of the system when an executable program builds a root or command line shell.
• Operational Misuse: Operating a system in a non-secure mode.
• Data as Instructions or Script Injections: due to improper input checking, scripting languages include information with executable code which is then executed by the system.
• Default Settings: If default software settings require user intervention to secure them they may encounter a risk.
• Programmer Backdoors: The developers of the software leave the unauthorized access paths for easy access.
• Numeric Overflows:Giving a lesser or greater value than estimated.
• Race Conditions:Sending a string of data before another is executed.
• Network Exposures: It is assumed that when messages are sent to a server adequately, clients will check that.
• Information Exposure: Sensitive information is exposed to unauthorized users which can be used to compromise data or systems.

2. Possible Attacks

According to the authors (Preuveneers, Berbers & Bhatti, 2008), (Felderer, Büchler, Johns, Brucker, Breu & Pretschner, 2016) and (AL-Ghamdi, 2013), secure software should achieve security requirements such as reliability, resiliency, and recoverability. Then they describe various possible attacks such as:

• Information Disclosure Attacks: To disclose sensitive or useful data, applications can often be forced. Attacks in this class include directory indexing attacks, path traversal attacks and determination of whether the application resources are allocated from a conventional and accessible location.
• System Dependency Attacks: By observing the environment of use of the targeted application, vital system resources can be recognized. Attacks of this type include LDAP injection, OS commanding, SQL injection, SSI injection, format strings, large strings, command injection, escape characters, and special/problematic character sets.
• Authentication/Authorization Attacks: These attacks includes both dictionary attacks and common account/password strings and credentials, exploiting key materials in memory and at component boundaries , insufficient and poorly implemented protection and recovery of passwords.
• Logic/Implementation (business model) Attacks: For an attacker, the hardest attacks to apply are often the most gainful. These include checking for faulty process validation, broadcast temporary files for sensitive information, attempts to mall-treatment internal functionality to uncover secrets and cause insecure behavior and testing the application’s ability to be remote-controlled.

2. Approaches to Security Testing

According to the author (Khatri, 2014), approach to security testing involves determining who should do it and what activities they should undertake.

Who: This is because there are two approaches which security testing implicates 1) Functional security testing and 2) Risk-based security testing. Risk-based security testing gets challenging for traditional staff to perform because it is more for expertise and experience people.

How: There are several testing methods however the issue with each method is the lack of it – because most of organizations devote very little time in understanding the non-functional security risks instead it concentrates on features.

The two approaches functional and risk-based are defined by the authors (Tøndel, Jaatun & Jensen, 2008) as follows:

Functional security testing: On the basis of requirements, this technique will determine whether security mechanisms, such as cryptography settings and access control are executed and configured or not.

Adversarial security testing: This technique is based on risk-based security testing and determines whether the software contains vulnerabilities by pretending an attacker’s approach.

1. Methods and Techniques of Security Testing by (Tian-yang, Yin-sheng & You-yuan, 2010), (AL-Ghamdi, 2013) and (Felderer, Büchler, Johns, Brucker, Breu & Pretschner, 2016).

• Formal security testing

To build a mathematical model of the software and to provide software form specification supported by some formal specification language is the basic idea of formal method.

• Model-based security testing

A model by the behavior and structure of software is constructed by  model-based testing and then from this test model, test cases are derived.

• Fault injection based security testing

This testing emphasizes on the interaction points of application and environment, including user input, file system, network interface, and environment variable.

• Fuzzy testing

To discover security vulnerability which gets more and more attention, fuzzy testing is effective. To test program, it would inject random data and evaluate whether it can run normally under the clutter input.

• Vulnerability scanning testing

To find software security risks, vulnerability testing is used which includes testing space scanning and known defects scanning.

• Property based testing

By using program slicing technology, this method will extract the code relative to specific property and find infringement of the code against security property specification.

• White box-based security testing

One of common white-box based testing method is static analysis which is great at finding security bug, such as buffer overflow. It includes main features like deducing, data flow analysis and constraint analysis.

• Risk-based security testing

To find high-risk security vulnerabilities as early as possible, risk-based security testing combines the risk analysis, security testing with software development lifecycle.

4. Discussion

There are some type of security vulnerabilities which are more serious or are more common than others, therefore classification and rankings of vulnerabilities can be utilized to focus testing. Today, attacks such as Cross-Site Scripting and SQL injection are very common and new vulnerabilities are still being discovered. Basically, security testing can be divided into security vulnerability testing and security functional testing. To ensure whether software security functions are implemented correctly and consistent with security requirements, security functional testing is used. Whereas to discover security vulnerabilities as an attacker, security vulnerability testing is used. Risk-based security testing is useful when a complex system requires numerous tests for adequate coverage in limited time.

5. Recommendation

To build a secure system, security testing is used however it has been overlooked for a long time. Protection and security have been given prime significance in today’s world, therefore in programming applications, it is highly recommended to look forward for information and operation’s security which demands critical consideration but it is rather ignored. There is still nothing like 100% security. The old way of doing things and traditional methods must change and new methods should be applied in practice if one wants to ship secure code with confidence.

6. Conclusion

The literature review was done taking 8 articles addressing the topic “Significance of Security Testing”. This report analyses the definition, classification, importance and approaches to software security testing. Classification of vulnerabilities and flaws were identified and what could be the reason behind occurrence of these vulnerabilities were discussed. The study also highlighted the various approaches like the functional and risk-based security testing and various methods in detail to tackle the flaws and errors detected in the system. These methods and techniques helps the system in various aspects like to advance the capability to produce protected and safe software, more cost-effective management of vulnerabilities and measure progress. Though, these approaches and classification makes software secure to a major extent but still security testing has a long way to go.

7. References

• AL-Ghamdi, A. S. A. M. (2013, April).  A Survey on Software Security Testing Techniques.
• Felderer, M., Büchler, M., Johns, M., Brucker, A. D., Breu, R., & Pretschner, A. (2016). Chapter One-Security Testing: A Survey. Advances in Computers, 101, 1-51.
• Khatri, M. (2014). Motivation For Security Testing. Journal of Global Research in Computer Science, 5(6), 26-32.
• Preuveneers, D., Berbers, Y., & Bhatti, G. (2008, December). Best practices for software security: An overview. In Multitopic Conference, 2008. INMIC 2008. IEEE International (pp. 169-173). IEEE.
• Tian-yang, G., Yin-Sheng, S., & You-yuan, F. (2010). Research on software security testing. World Academy of science, engineering and Technology, 70, 647-651.
• Tøndel, I. A., Jaatun, M. G., & Jensen, J. (2008, April). Learning from software security testing. In Software Testing Verification and Validation Workshop, 2008. ICSTW’08. IEEE International Conference on (pp. 286-294). IEEE.
• Tondel, I. A., Jaatun, M. G., & Meland, P. H. (2008). Security requirements for the rest of us: A survey. IEEE software, 25(1).
• Türpe, S. (2008, April). Security testing: Turning practice into theory. In Software Testing Verification and Validation Workshop, 2008. ICSTW’08. IEEE International Conference on (pp. 294-302). IEEE.

8. Appendix A

Articles	Concepts
	Requirements for Security Testing	Vulnerabilities (Exploits, bugs, flaws)	Possible Attacks on Software	Approaches		Techniques or Methods
				Functional	Risk-based
Best Practices for Software Security: An Overview (Preuveneers, Berbers & Bhatti, 2008)				
 Motivation For Security Testing (Khatri, 2014)			
Security Testing: A Survey (Felderer, Büchler, Johns, Brucker, Breu & Pretschner, 2016)			
A Survey on Software Security Testing Techniques (AL-Ghamdi, 2013)				
Security Requirements for the Rest of Us: A Survey (Tondel, Jaatun & Meland, 2008)		
Research on software security testing (Tian-yang, Yin-Sheng & You-yuan, 2010)		
Learning from software security testing (Tøndel, Jaatun & Jensen, 2008)		
Security testing: Turning practice into theory (Türpe, 2008)		

Figure 1: Concept Matrix of the study of Significance of Security Testing