Friday, March 17, 2006

Software Testing as part of a solution

Security testing of internet solutions provides two fundamental services:
  • It allows cost-effective selection of security controls at all stages of the project cycle, allowing proper integration of security measures (procedural and technical) into the final solution.
  • Management are given firm evidence of the level of security provided, showing that, in the event of a security breach, "due diligence" was exercise, which may limit damages claims or criminal liability.
Testing a system will involve a number of seperate checks:
  • All software involved should be examined for known security flaws.
  • The infrastructure design should be implemented to allow secure operation.
  • Site functionality should be examined to ensure that access to sensitive information and administrative funstions are protected appropriately. This applies to operating system and server level functions, as well as application level.
  • Only services necessary for the business process should be running on web-facing servers (the more different systems, the greater the likelihood of a serious flaw.)

Saturday, March 04, 2006

The Risks of lack of Web Security Testing

Why should an organisation care about compromise of their systems?

Direct Financial Loss - If a payments system is being operated, the contracts with the banks and the credit card organisations will specify significant financial penalties and charges that will be levied in cases of continuing fraud. In addition, the costs of shipped goods for which payment will not be recovered need to be taken into account.

Loss of Reputation - Many hackers do it for the public recognition, therefore will publicise the compromise of a site. Security news sites are also very quick to learn of compromises. The UK consumer is still nervous about transmitting payments information across the web - gaining a reutation as in insecure site will affect internet business growth.

Legal Repercussions - The Data Protection Act places a legal responsibility on organisations to keep person-identifable data secure. The Data Protection Registrar civil damages suits from affected individuals. Also, exposure of commercially sensitive data acquired under contract or privilege may lead to damages suits from affected parties.

Thursday, March 02, 2006

Basics of Web Security Testing

Exposing systems to the internet increases the risk that security weaknesses in those systems will be leveraged to compromise the system or the underlying data. It is therefore necessary to examine the actual business risks this brings, understand the basic difficulties in implementing "secure systems2, and adequately test internet applications for security, as well as functionality and load performance, before they are exposed to the net.

Most organisations now have some of their corporate IT infrastructure connected to the internet. This may vary from allowing users to surf the web and recieve email, to fully funtional internet banking systems. For some organisations, compromise or failure of these sytems would have significant business impact.

Software testing is becoming an accepted part of the development and maintenance cycle. Internet solutions are often required to be implemented extremely quickly. Functional, usability and load testing are all as appropriate for internet as conventional client-server solutions, however the requirement to test security is more emphatic for the internet, due to the much wider connectivity - to the incompetent, nosy or malicious - the internet brings.