In my previous blog, we discussed about Pentesting using ZAP tool, today we discuss the remaining 3 points of security testing. Security Testing can be classified according to the type of vulnerability have been exploited or type of testing should be done for it.
Roughly it can be done as:
- Vulnerability Assessment
- Penetration Testing
- Runtime Testing
- Code Review
Penetration Testing explained in our “Pentesting security testing using OWASP ZAP” blog.
Here we will explore the other 3 techniques.
Vulnerability Assessment also termed as Vulnerability Analysis is a process which defines, identifies and classifies the security holes (i.e. Vulnerabilities) in computer networks or communication systems.
Vulnerability Assessment has several steps-
- Defining and classifying network and system resources.
- Assigning level of importance to the assigned resources.
- Identifying potential threats to each resource.
- Making a strategy for dealing with the most serious potential problems first.
- Defining and implementing ways to minimize the consequences if an attack occurs
If vulnerabilities are found as a result of vulnerability analysis, a vulnerability disclosure may be required.
The person or organization that discovers the vulnerability, or a responsible industry body such as the Computer Emergency Readiness Team (CERT), may make the disclosure.
If the vulnerability is not classified as a high level threat, the vendor may be given a certain amount of time to fix the problem before the vulnerability is disclosed publicly.
The next stage of vulnerability analysis (identifying potential threats) is sometimes performed by a ‘white hat’ using ethical hacking techniques. Using this method to assess vulnerabilities, security experts deliberately probe a network or system to discover its weaknesses.
The term ‘white hat’ in security refers to an ethical computer hacker, or a computer security expert, who specializes in penetration testing and in other testing methodologies to ensure the security of an organization’s information systems.
Runtime application self-protection (RASP) is a security technology that is built into an application and can detect and then prevent real-time application attacks.
RASP prevents attacks by “self-protecting” or reconfiguring automatically without human intervention in response to certain conditions (security misconfigurations, threats, faults, attacks etc.).
RASP comes into play when the application is executed at runtime, causing the program to monitor itself and detect malicious input and behaviour.
How Runtime Application Self-Protection (RASP) Works-
RASP basically provides security into the running application where it resides on the server. It then intercepts all calls to the system to ensure they’re secure.
Effectively, RASP implants validation of data requests directly into the application.
RASP can be applied on Web along with Non-Web applications without affecting the actual design of it. Currently, RASP technology exists for Java virtual machine and .NET Common Language Runtime.
When specified security conditions are met, RASP gets control of the application and takes the necessary protection measures.
RASP’s protection measures include the following:
- User session termination
- Application termination (not affecting other applications on that server)]
- An alert sent to security personnel
- A warning sent to the user
Advantages of RASP technology-
RASP technology has a detailed view into the actions of the system, which can help improve security accuracy. In addition, with self-protecting data, the protection remains with the data, from its creation to destruction and everything in between.
Disadvantages of RASP technology-
One drawback to RASP is that each application must be individually protected. The dynamic nature of RASP can affect performance while protecting the application, potentially causing a performance degradation that would be apparent to the user. As RASP solutions cannot protect against all sorts of vulnerability, some security experts argue that it should not be used as the only solution for insecure software, but should be used in combination with other approaches to securing applications such as application security testing.
Code review is probably the single-most effective technique for identifying security flaws and vulnerabilities. When it is used along with automated testing tools and manual penetration testing, can significantly increase the cost effectiveness of an application security verification effort.
Manual security code review provides internal aspects of the “real risk” associated with insecure code.
Security Code Review-
Security code review is the process of auditing the source code for an application to verify that the proper security controls are present, that they work as expected, and that they have been called in all the right places. Code review is a way of ensuring that the application has been developed so as to be “self-defending” in its given environment.
Security code review is a method of assuring secure application developers are following secure development techniques. A general rule of thumb is that a penetration test should not discover any additional application vulnerabilities relating to the developed code after the application has undergone a proper security code review.
Along with automated tools human reviewers are also important to fill in for the significant blind spots where automated tools simply cannot check.