Skip to main content

Software Security Testing Part - I

 The Basics of Software Security


Introduction 

 Welcome to the first module of this workshop. In this workshop, we will be learning about the overall software security testing happening in the field of information security, covering many aspects of security. However, in this module, we will talk about the knowledge base, the basics of software security.

 Prerequisites 

• Sound knowledge in computer programming 

• Sound knowledge of information security and related technologies

 • Expert in any one programming language 

The Software Industry 

  The software industry is approximately 50+ years old and it has progressed from a very basic level of software to complex development and now there is a lot of competition among developers and in the mobile software development market. 

  Most importantly, in today’s software industry, there are threats to the software we normally and generally use, e.g., operating systems, like Windows. However, to overcome this, we use different types of tools in order to protect our Personal Computer (PC), and we will be exploring types of software next. 

  Types of Software 

  There are many types of software which are broadly categorized as per their usage and operations they perform. Some common types of software are listed below:



These are a few of the many types of software available in the market and we cannot list them all here. It’s just to give readers an idea about different types and purposes of software. We can divide the software industry into two main types or classes of software:

  • System Software (Operating Systems)

 • Application Software (e.g., Office) 

 You might be wondering why we haven’t listed and security software. Well, our focus is on security aspects of software, so let’s define security software.

 What is Security Software? 

 Security software is specially built or designed to perform certain dedicated tasks like: 

• Identify, 

• Prevent, 

• Stop malfunction and repair the damage that others cause on your computer or network. 

 Different types of security software may be focused on preventing attacks from reaching their target, on limiting the damage attacks can cause if they reach their target and on tracking the damage that has been caused so that it can be repaired.

   You cannot guarantee that this software will provide 100% security but what we can claim is that as the nature of malicious code evolves, security software also evolves, and some of these software programs are given below. 

 Anti-spyware software

   Anti-spyware software can protect your computer by providing real-time protection against malware, spyware, and adware installations, as well as by detecting and removing such programs that are already installed on your computer.

“Spyware attaches itself to individual computers to perform functions like monitoring Internet navigation and stealing information. Spyware can track your personal data and then send it to cyber criminals.”

Anti-virus software

   Anti-virus software can protect your computer from a range of cyber threats, like viruses, worms, rootkits, and phishing attacks. The software keeps you protected by scanning files to look for known viruses, and by using what is known as heuristics to identify suspicious behavior, which may indicate a threat. 

  “A virus is code that recursively replicates a possibly evolved copy of itself. Viruses use computers to spread from one to another. They often perform a function that can erase files and processes from your computer”

Firewall

   A firewall provides critical protection to keep your PC safe from unauthorized access, but it cannot remove malware from a system that has already been infected; therefore, it should be used in conjunction with anti-spyware and anti-virus software. 

  The most important thing to remember is that even after ensuring that you have covered the basic requirements of your software by using any of the above tools, that still doesn’t guarantee security to your system. If you are using “Microsoft Windows”, then you are more exposed to potential threats if you go online and access the internet and this is obvious as “MS Windows” is the end user’s favorite operating system, hence more often targeted by hackers.

Some Common Sense 

  The fact is that antivirus or anti-malware or any security software programs aren’t perfect. If you’re relying on your antivirus alone to protect you, you’re putting yourself at risk. You should still follow basic techniques and practices in order to ensure security and these techniques are nothing advanced, just common sense computer security practices. 

  “Be careful about the programs you download and run. You should only download and run trustworthy software. Get the software from its official website — if you want to download your favorite music player, download it from its official website. Don’t click such banners on another website and download it from someone else that may bundle malware or adware along with it.” 

  You should also keep your programs or software updated, regardless of their types. Patch Management is also a good security measure when it comes to keeping your software safe from the latest vulnerabilities.

Patch Management 

 Basically, patch management is an area of systems or software management that involves acquiring, testing, and installing multiple patches. This can also be viewed as a part of change management.

Secure Coding of Software 

  Writing a piece of code is easy, however writing a secure piece of code is not that easy and there is a difference in writing code and writing secure code! When a developer writes code, his priority is usually ensuring delivery of the software and making sure that functionality is achieved regardless of security aspects, like ensuring validations on inputs. Therefore, not all developers are good in writing secure code. Also, there is a set method, or methodology, which is required to be followed that we will be exploring in upcoming modules. 

   Flaws appear in software because somewhere along the requirement, development, and testing of the overall software development lifecycle, the mandate of secure software fell on the floor and was actually neglected. 

   Software is only secure when it’s designed with security considerations during the lifecycle of its development. If you are attempting to add security after the overall development of the software, then there is a chance that even more problems will occur than when it’s considered from the start of a software development.

If you really want to build secure software, then security should be built in to the development life cycle itself and management should be involved to present how an organization thinks about and developments software, with security in mind. 

   In the next module, we will be exploring different types of techniques consultants and security professionals use to evaluate the security aspects of the software code. There are different tools and techniques which are well known and used by the industry as best practices in order to set a standard in the field of security testing, or security review, of software, however, this is not the only solution in order to ensure the security of your software piece. We will be highlighting security in the software development lifecycle in a separate module to present an idea of how you can make it happen from the beginning of the software development lifecycle. We will also present a demo – a practical approach on how you can evaluate software security! 

Popular posts from this blog

Bypassing Web Application Firewall Part - 2

WAF Bypassing with SQL Injection HTTP Parameter Pollution & Encoding Techniques HTTP Parameter Pollution is an attack where we have the ability to override or add HTTP GET/POST parameters by injecting string delimiters. HPP can be distinguished in two categories, client-side and server-side, and the exploitation of HPP can result in the following outcomes:  •Override existing hardcoded HTTP parameters  •Modify the application behaviors   •Access and potentially exploit uncontrollable variables  • Bypass input validation checkpoints and WAF rules HTTP Parameter Pollution – HPP   WAFs, which is the topic of interest, many times perform query string parsing before applying the filters to this string. This may result in the execution of a payload that an HTTP request can carry. Some WAFs analyze only one parameter from the string of the request, most of the times the first or the last, which may result in a bypass of the WAF filters, and execution of the payload in the server.  Let’s e

Haking On Demand_WireShark - Part 5

Detect/Analyze Scanning Traffic Using Wireshark “Wireshark”, the world’s most popular Network Protocol Analyzer is a multipurpose tool. It can be used as a Packet Sniffer, Network Analyser, Protocol Analyser & Forensic tool. Through this article my focus is on how to use Wireshark to detect/analyze any scanning & suspect traffic. Let’s start with Scanning first. As a thief studies surroundings before stealing something from a target, similarly attackers or hackers also perform foot printing and scanning before the actual attack. In this phase, they want to collect all possible information about the target so that they can plan their attack accordingly. If we talk about scanning here they want to collect details like: • Which IP addresses are in use? • Which port/services are active on those IPs? • Which platform (Operating System) is in use? • What are the vulnerabilities & other similar kinds of information. • Now moving to some popular scan methods and ho

Bypassing Web Application Firewall Part - 4

Securing WAF and Conclusion DOM Based XSS DOM based XSS is another type of XSS that is also used widely, and we didn’t discuss it in module 3. The DOM, or Document Object Model, is the structural format used to represent documents in a browser. The DOM enables dynamic scripts such as JavaScript to reference components of the document such as a form field or a session cookie, and it is also a security feature that limits scripts on different domains from obtaining cookies for other domains. Now, the XSS attacks based on this is when the payload that we inject is executed as a result of modifying the DOM environment in the victim’s browser, so that the code runs in an unexpected way. By this we mean that in contrast with the other two attacks, here the page that the victim sees does not change, but the injected code is executed differently because of the modifications that have been done in the DOM environment, that we said earlier. In the other XSS attacks, we saw the injected code was