Security testing

Woman posing in office. Photo.

For a recent graduate in communication technology with information security as a specialization, there are many career opportunities. In a world where hacking gradually becomes an increasing threat, the need for information security is imperative. For me, the choice was simple once I was offered to work as a tester in Itera. To develop secure solutions, it is important to increase the awareness and knowledge of security in all parts of the development cycle, also in the test phase.  

Written by Vilde Amundsen, Tester

Test environment in Itera 

Itera is known for a highly competent test environment that continuously seeks to improve and renew itself. By facilitating competence development and personal training, Itera has managed to develop specialists within test management, performance testing, and test automation. In the years to come, Itera wish to continue specialization of their test engineers, now focusing on security. Security testing is a product already offered by Itera through the office in Ukraine, but now the competence is to be further developed in Norway. To be a part of Itera’s development of security testers in Norway was quite appealing to me as a graduate.  

What is security testing? 

The objective of security testing is to detect vulnerabilities within a system and decide whether information and resources are well enough protected from possible attackers. It will never be possible to guarantee that a system is 100% secure – people make mistakes – but with correct tools and knowledge it is possible to define the probability and consequences of certain vulnerabilities. Security testing is introduced to identify risks and vulnerabilities before they potentially are exploited and creates the foundation for prioritizing necessary measures to mitigate the existing vulnerabilities. Security testing may be performed on different levels: within the infrastructure of a system by researching the network and firewall configurations, at software level by penetration testing the application, and at an organizational level by researching the company’s security policy and the knowledge of the employees.  

How to perform security testing? 

To perform a security test, it is natural to review the most common threats a system may be exposed to. OWASP top 10 is a recommended place to start for web applications. Open Web Application Security Project (OWASP) is an international non-profit organization dedicated to web application security that regularly publishes a report that informs about the 10 most critical risks web applications are exposed to. As a security tester, it is necessary to be aware of which vulnerabilities an application may be exposed to and how to test if they are present in the application to be tested.  

The most common attack against web applications is SQL Injection. SQL Injection is an attack that exploits fields where the user can input data on a website. The attack may be performed if the data from the user is not well enough validated before it is sent to the system. For example, a website may be implemented in the manner where the user input their employee number and is presented with address, phone number, and email linked to the employee number. An SQL query will be performed: SELECT * FROM users WHERE employee_id = ‘input from user’. 

A security tester will try to manipulate the SQL query to run malicious SQL code instead of entering a normal string parameter to retrieve information from the database. By submitting logical expressions that are utilized by SQL databases, an attacker can try to perform calls from the field that are intended for user input. A simple attack to check validation of a website is to enter userInput= 1234567 or 1=1. The latter part may run as TRUE if no validation is used, and the website will then provide all information of all employees to a person that should not have access. There are many variations of SQL Injection attacks, some more complicated than others. A useful tip to practice different attacks of varying degree of difficulty (legally) is to download OWASP’s penetration testing sandbox, WebGoat, that consist of a server and a vulnerable application with different assignments and lessons. Through a pedagogic step program and useful hints, it is possible to increase the level of knowledge of the most critical vulnerabilities by performing ethical hacking in a safe environment.   

Security testing in Itera 

In bids where it is expedient, Itera informs of the possibility for security testing. Security testing is expedient in projects where there is a risk for economic or personal information loss, reputation damage, or other losses for the customer’s business. How security testing is applied depends on the project type. Itera offers both integrated security testing as a part of the software development where the components are tested in accordance with the development, and independent security testing of an application that is ready for production. The recommendation from Itera, however, is to invest in integrated security testing to detect vulnerabilities in an early stage and thereby decrease the cost of patching them.  

Vilde Amundsen

Vilde Amundsen