Security Testing
Total Page:16
File Type:pdf, Size:1020Kb
ISSN 1866-5705 www.testingexperience.com free digital version print version 8,00 € printed in Germany 6 The Magazine for Professional Testers The MagazineforProfessional Security Testing © iStockphoto/alexandru_lamba June, 2009 © iStockphoto/Manu1174 ISTQB® Certified Tester Foundation Level for only 499,- € plus VAT ONLINE TRAINING English & German www.testingexperience.learntesting.com Certified Tester Advanced Level coming soon Editorial Dear readers, One of my professors at the university said once to all of us: Computer scientists are at some point criminals. What he meant was that we or some of us – computer scientists – at some point like to try things that are not that “legal”. The most of us are “clean”, but some of us are “free time hackers”! Nowadays the hackers are almost away from the 17 years old guy, trying to pen- etrate in some website and so on. They are now adults, with families, cars, pets, holidays and a job. They are professionals earning money for acting as such. Application Security is not only important and essential for the companies and their businesses, technology and employees. Application Security is a macroeco- nomic aspect for the countries. There are a lot of secret services or governments agencies working on getting technology or information by advance hacking the server and databases of top companies or governments worldwide. When we hear that some countries could be behind the penetration of the USA electricity net- work, you can imagine what is going on outside. Are we testers prepared for that job? I’m not! Last year we had the first tutorial by Manu Cohen about Application Security Testing. It was amazing what you can do in few minutes using the right tools!!! Even as computer scientist your eyes get wide open. We saw after the first tutorial that we need to give the attendees at- tack skills; they should learn also to attack and to think how a hacker thinks. The second tutorial some weeks ago had two days introduction into practical hacking. It was an even bigger success. We - as testers - have to be given specific knowledge on security testing to do the job in the right way. As well as this tutorial by Manu Cohen there is an initiative called ISSECO. ISSECO has defined a syllabus for a certification as professional for secure software engineering. This is more than testing; security already starts with the requirements and design of the application. It is a part of the whole pro- cess. This is a step in the right direction! Security is getting essential and that’s why we will issue a new magazine on this topic called Security Acts. The first issue is going to be released on October 2009. It appears quarterly too. Please send us your proposals for articles. The program for the Testing & Finance is ready and I hope to see you there. We have great speakers! Last but not least I want you to pay attention to our new e-learning portal www. testingexperience.learntesting.com. You can register for ISTQB Certified Tester Foundation Level and very soon for the Advanced Level. Enjoy learning! Yours sincerely José Manuel Díaz Delgado www.testingexperience.com The Magazine for Professional Testers 3 Contents Editorial ....................................................................................................................................................3 Claim-Based Authorization – Next Generation Identity Management .................................................7 by Manu Cohen-Yashar The Liability of Software Producers and Testers ................................................................................ 12 by Julia Hilterscheid Application Security Fundamentals .................................................................................................... 14 by Joel Scambray Security Testing by Methodology: the OSSTMM ................................................................................. 20 by Simon Wepfer & Pete Herzog Wanted: Technical Test Analysts ......................................................................................................... 24 by Erik van Veenendaal Application Security – Money Still Being Squandered on It .............................................................. 25 by Serge Baumberger Interview Mike Smith ........................................................................................................................... 27 Application Security Web Vulnerability Scanners: Tools or Toys? ....................................................................................... 31 by Dave van Stein Fundamentals A Risk-Based Approach to Improving Software Security ................................................................... 36 by Rex Black Case Study: An Automated Software Testing Framework (ASTF) Example ....................................... 39 by Elfriede Dustin The need for a structured security test approach!............................................................................. 45 by Andréas Prins Business Logic Security Testing and Fraud ........................................................................................ 48 37 by James Christie Demystifying Web Application Security Landscape ........................................................................... 55 by Joel Scambray by Mandeep Khera Customer Success Story - Advertorial ................................................................................................. 59 by Vladan Konstantinovic How to conduct basic information security audits? ........................................................................... 61 by Nadica Hrgarek The need for a structured 45 security test approach! by Andréas Prins Claim-Based Authorization – Next Generation Identity Management by Manu Cohen-Yashar 7 © iStockphoto.com/fredpal4 The Magazine for Professional Testers www.testingexperience.com © iStockphoto.com/LeeTorrens The Liability of Software Producers and Testers by Julia Hilterscheid 12 © iStockphoto.com/RichVintage Application Security Fundamentals Web Vulnerability Scanners: 31 Tools or Toys? © iStockphoto.com/alexsl by Dave van Stein © iStockphoto.com/JordiDelgado Advanced Software Test Design Techniques, Decision Tables and Cause-Effect Graphs 66 by Rex Black Load Testing In 10 Steps ......................................................................................................................71 by Shai Raiten Testing the Enterprise Security: Anti-Spam and Anti-Virus ................................................................74 by Dr. Marian Ventuneac Software Test Automation: Frame Your Own Requirements ............................................................. 77 by Suri Chitti Database Auditing ................................................................................................................................ 79 by Craig Steven Wright Project-Based Test Automation ........................................................................................................... 86 by David Harrison Software Configuration Management-SCM ........................................................................................ 89 by Mahwish Khan Align for Good Test Design ................................................................................................................... 93 by Richard van der Pols, Andrew Jong, & Jeanne Hofmans The new ISTQB® Certified Tester Advanced Level Focus on practical know-how ............................. 99 by Professor Mario Winter Masthead ............................................................................................................................................102 Index Of Advertisers ...........................................................................................................................102 www.testingexperience.com The Magazine for Professional Testers 5 Lassen sie die anderen staunend auf der strecke... Dìaz & Hilterscheid ist Deutschlands erster Trainingsprovider mit dem neuen Syllabus für ISTQB® Certified Tester Advanced Level Test Analyst © iStockphoto.com/fotoIE (deutsch) Buchen Sie bis Ende Juni einen CTAL Kurs bei uns und sie bekommen 15% Rabatt! www.training.diazhilterscheid.com © iStockphoto.com/fredpal Claim-Based Authorization – Next Generation Identity Management by Manu Cohen-Yashar Identity is one of the most popular challenges The authenticator is given to the client is trivial. Passwords are the weakest form applications face today. Almost every applica- for immediate interaction with the ap- of authentication, but usually this is all tion has to know who it is talking to and needs plication, so that he/she will not need to we have got. Governments have failed to to do something about it. Unfortunately we go through authentication every time he/ distribute a strong form of authentication know that identity is poorly handled, as Iden- she interacts with the application. The ap- to their citizens, e.g. smart passports, and tity theft is one of the world’s greatest prob- plication might use the authenticator as a thus there is no strong authentication for lems today. key to find the identity information in the the masses. Some employers and large cache. organizations have managed to do so and What exactly is identity? After decades of they enjoy a much safer authentication. working with Identity, we finally understand 6. The user logs out and the authenticator is that identity is nothing more than some infor- deleted. • After authentication the application mation that describes an entity. It turns out needs to look