Steps for including Security Tests in your Software Life Cycle

Reading Time: 2 minutes

So here are 6 steps that can helps you include Security Tests in your Software Life Cycles. The Steps include the ‘Purpose’, the ‘Methodology’ and the ‘Tools’ needed to achieve them.

Step 1: Information Gathering/Mapping the Application

Purpose:

-Get a thorough view of the target
-Identify Common mis-configurations

Methodology:

-Passive Spidering: explore visible content using a Security Proxy tool
-Map the application using multiple Users(privileged, non-privileged) if applicable
-Check against Public resources. e.g. Google

Tools:

– Burp Proxy or ZAP Proxy

Step 2: Target Analysis/Identify hints for attack vectors/accidental leakage

Purpose:

-Figure out what you’re up against
-Look for anything that unintentionally identifies
-Look for Content that should not be accessible

Methodology:

-Identify the technologies Used
-Identify functionality
-Determine how core functionality works, URL style, etc.
-Review robots.txt
-Identify redirects
-Identify error handling with Information leakage
-Review use of Cookies

Step 3: Enumerate Other Resources

Purpose:

-Look for other network resources- web sites, etc.

Methodology:

-Enumerate DNS hostnames, network blocks of other systems
-Identify other systems related to the target

Tools:

-nmap
-DNSenum

Step 4: Scan the Target for Security Flaws

Purpose:

-Identify Possible Security flaws in the target web Application

Caveats:

-Scanners lack intuition and understanding of requirements
-Scanners cannot improvise
-False Positives and False Negatives are common

Tools:

-Netsparker Community Edition
-Acunetix Web Vulnerability Scanner

Step 5: Test Authentication Mechanisms

Methodology:

-Test Password Quality
-Attempt to enumerate Usernames
-Attempt to brute force passwords
-Test Account recovery function of enumerated Users
-Examine cookies if ‘remember me’ option exists
-Verify Credentials are submitted securely
-If Multi-phase authentication is used, test for logic flaws

Tools:

-Web Browser
-Burp

Step 6: Verify Access Controls

Purpose:

-Verify whether access controls are properly applied to sensitive functionality

Methodology:

-Map the site using different usersThe above steps have helped me and they should surely help You.
About the Author

Dias

Avid Test Engineer with Keen interests in introducing new techniques in Software Testing Area.
Find out more about @diasj

Leave a Reply