Tuesday, June 8, 2010

Introduction to Application Security

I'm in the field of Software Testing for few years, involved in manual & automated testing, black box to API testing but didn't get a chance to work on Application Security Testing. I thought of exploring this area and at the same time, start this blog to share my learning and learn from your experience.

Security leak means that an unauthorized user is able to access to your system or information. Let's go through and try to understand some of the common security problems, which you should evaluate for your product. Later, we will discuss each one of these in detail.

On web applications, this can happen through techniques like XSS (Cross site scripting) where third party code is embedded on a website which can then capture your credentials or CSRF (Cross site request forgery) where a hacker can gain control over your workflow.

On desktop product side, there are techniques like Command injections (you might have seen articles or videos on youtube where security researchers demo this by automatically launching Calculator when a faulty file is opened in the application. It means that there is security vulnerability in application's file handling logic which allows hacker to execute commands while opening faulty files. Another common technique is file format fuzzing which makes application to crash while handling faulty files and possibly giving control to hacker over system's memory.

Apart from these, if your application handles sensitive information such as PII (Personally Identifiable Information) and Credit Card information then you need to extra careful in handling these. For handling credit card information, there are industry standards (PCI DSS - Payment Card Industry Data Security Standard) which you should follow.

Testing application for security vulnerabilities is not limited to web applications. Contrary to my earlier belief that security testing is primarily for web applications, I'm now fairly convinced that it is equally important for desktop applications as well. Rather, cost of fixing an issue for desktop product would be more than pushing an update for web application.

1 comment:

  1. I learn some new ideas through your blog. It's simple and perfect collections.