Mobile Security Testing – Application Threat Modelling

Reading Time: 3 minutes

I am currently working in Mobile Security Testing as a penetration tester. Before this I worked on software/web application development and when I tuned my career towards software/mobile app testing, I got more interest in “application security testing”.
Most applications nowadays have web interfaces, including mobile apps and I personally feel that a lot of things are insecure at some level. I mean (Black hat hacker) anybody can steal any information from the web server directly or as a Man-in-the-Middle.
I personally feel that custom built applications always have a lot of security holes whereas ready to use applications have far less because they have their own community which helps them to test the application early and fix security bugs, with next release, e.g. wordpress cms.

[Important] Don’t think that Threat/Hacker attacks only come from using your application.

It may come from, or already exist, somewhere within your whole IT infrastructure.
Major attacks can hacker do with your applications are

  • Injection
  • Broken Authentication and Session Management
  • Cross-Site Scripting
  • Insecure Direct Object References
  • Security Misconfiguration
  • Sensitive Data Exposure
  • Missing Function Level Access Control
  • Cross-Site Request Forgery
  • Using Components with Known Vulnerabilities
  • Unvalidated Redirects and Forwards

Security testing is very dynamic. owasp.org releases it’s top 10 possible risks with software/application each year.

Why my application is insecure?

Normally companies will not hire security test guys due to project budgets and this way more security bugs will appear during the development process. When security experts audit and verify the application, they submit a report about security holes in application. The developer then needs to decide on and fix them which can be  a painful and time consuming process.

How do we secure an application?

Early stage app testing is very important. You may ask me, how early? In traditional development, application security testing is only done during the ‘Testing Phase’ or before the application is released to end user.

Early stage app testing includes the phase of application requirement analysis with overview of application as well as decompose of the application.

Any software tester who has a developer background can work more effectively as a security testing expert within an organization with the SDLC to build the secured application for the end users.

Security testing can be done by using tools & logical techniques. You must also remember that security testing can vary with what type of application you are testing and what kind of technology is involved in it.

Difference between – Threat & Vulnerability

Threat – A threat is a possible danger that might exploit vulnerability
Vulnerability – Vulnerability is a weakness of the system

 

OWASP threat Modelling 

It is a 4 step process

1. Decomposing
2. Determine threats
3. Test
4. Analyse results

OWASP threat modelling can be adoptable through the SDLC.
Currently I am doing independent research to integrate the mobile app / web app security test automation. If you have any knowledge, comment below.

 

About The Author

Padmaraj Nidagundi Profile picture of Padmarajis a Software Engineer with an accomplished history of driving process change and agility. He specialises in Quality Assurance and Brand Management. He is interested in pursuing leadership opportunities where he can achieve excellence and create high quality client products.

Padmaraj enjoys managing the end-to-end build/release cycle for cutting-edge software products and thrives in a dynamic, innovative environment where he can contribute to capabilities to support long-term vision and drive new strategic initiatives.

Mobile Testing CTA

About the Author

Padmaraj

As a Software Engineer with an accomplished history of driving process change and agility, I specialize in Quality Assurance and Brand Management. I am always interested in pursuing leadership opportunities where I am able to achieve excellence and create high quality client products. I enjoy managing the end-to-end build/release cycle for cutting-edge software products. I thrive in a dynamic, innovative environment where I can contribute to capabilities to support long-term vision and drive new strategic initiatives. • Passion for high quality software. Areas of interest - Penetration/Security Testing & R&D
Find out more about @padmaraj

Leave a Reply

New eBookMaintaining Quality Standards When Nothing Stays Constant
Download Now