Testing Electronic Data Interchange (EDI) software

Home Forums Software Testing Discussions Testing Electronic Data Interchange (EDI) software

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #15762
    Konstantin
    Participant
    @konsty

    Hello folks,

    I am new here and a total newbie at security testing. 🙂 Currently, I do an internship in a company that offers an EDI software. My task is to evaluate some Application Security frameworks and run the EDI software on it. Lately, I did some researches to understand the techniques like SAST, DAST and IAST but still, I think there are difficulties to test an EDI Software with it, or maybe not? Like I said, totally new in this scene.

    I thought you guys could help me to go into the right direction with my researches. Is it possible to test an EDI software with those frameworks and actually see vulnerabilities? Are there any hacking approaches known to how an EDI software can actually be hacked?

    Please forgive my bad English.

    Konstantin

    #15856
    Ronan Healy
    Keymaster
    @ronan

    Good question. I am not too sure about that one but @declan-oriordan and @danielbilling might be able to answer that one for you.

    #15915
    Kasper
    Participant
    @kasper

    Since the resident experts stay quiet I will try my best to answer, but the question is stated in very broad terms and so the answer will also be very generic. Sorry about that, but for more specific answers I will need more specific questions.

    SAST, DAST, IAST and RASP can all be used against EDI software, given enough access to the source code. DAST can be done in a complete black box scenario, but the other techniques all need at least some access to the source code.

    EDI software is not more or less difficult to test than any other software. But EDI relies extensively on the correct delivery of documents.
    This means that any hole in a transport mechanism, translator, or any other element that influences your data flow is immediately critical.
    This is what makes security testing for EDI difficult. You need to have an incredible amount of domain, tool and general technical knowledge to pull this off.
    There have been successful attacks against EDI software. Of course social engineering ranks high, but also attacks against the underlying technology and transport layers can and will be performed.

    I hope this helps a little and may be one of the resident guru’s can chime in?

    Kasper
    (CEH, ECSA, LPT)

    #15923
    Konstantin
    Participant
    @konsty

    Hello 🙂

    thank you, Ronan, for responding here 🙂 and thank you, Kasper, for your detailed answer even when my question was not clearly. It helps me a lot to understand the situation.

    Well, the internship takes only  6 moths so there is no time for me to get an incredible amount of knowledge. 🙁 I assumed to concentrate on the OWASP Top 10. More experienced Security guy is needed for any deeper analysis

    Lately, I did some Tests with OWASP ZED. It was not really satisfying or maybe it was 😛 it hasn’t found any critical vulnerability. I think the most of the system was out of scope! I also used Netsparker which has found critical vulnerabilities but since it was a trial version it hasn’t shown much about it. The next step is AppScan Standard, Contrast Security and Synopsys Seeker since those are good IAST frameworks I want to concentrate on them and because Company’s requirements are IAST approaches.

    The EDI Application uses instances like Karaf, Cassandra, and MySQL and it has a Web interface trough which you can model Electronic processes on the fly.(simplest explanation. I don’t know how deep I can go on this here).

    sincerely yours

    Konstantin

    #15925
    Konstantin
    Participant
    @konsty

    sorry could not find the edit button

    I forget to mention the EDI software, in this case, is a business integration cluster.

Viewing 5 posts - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.