Bloggo back to the blog
G(r)ood testing 21 – Improving application security, where to start?
Secure software is an essential component in the fight against cybercrime. Many organizations are aware of this but find it difficult to embed security awareness and security testing in their software development. In order to provide a pragmatic approach the Secure Software Foundation, The Dutch Ministry of Economic Affairs and ECP have released the Framework Secure Software (FSS). This framework makes it possible for organization to access whether sufficient attention is given to the security aspects of software development.
I sat down with Tim Hemel for an interesting chat about security testing. Tim works as secure software specialist for Valori and is co-author of the Framework Secure Software.
For the people that do not know you; Do you regard yourself as a security hacker, tester or evangelist? (Or maybe all three of them)
I am always a bit hesitant to use the term hacker, as there are so many definitions of the word. To me a hacker is someone who uses technology in a creative way and manages to circumvent limitations. This mindset is very useful when looking at the security of systems, for example when testing. And if you manage to bypass a system’s security, it is hard to contain yourself and tell the people that are involved what is wrong and how to fix it. So there is the evangelism, although the message is not one that everybody is willing to hear.
Q: What is your mission regarding security?
As a society, we have been sloppy regarding security for the last decades. Now our society is highly dependent on IT systems and it is almost certain that they are not secure. Just turn on the news and you see items that prove this. My mission is to let people create more secure IT systems and make a better world. Perhaps it sounds a bit pretentious, but that it what it comes down to.
Why do you think security is not embedded in every test strategy, it should, shouldn’t it?
Oh yes, definitely. Fortunately, more organizations are becoming aware of the need to test their system’s security, but this is not done as an integral part of the development process. That is a shame, because if you integrate it in the development process it will be much more effective. You may even find security problems long before the actual release date. There are several reasons why security is not integrated yet. Security by itself is not visible to people, which is why it is so often overlooked. Then there are people who simply choose to ignore it or are not willing to invest in it, because like ordinary testing, security testing also has its cost.
Security testing seems to be something for very specialist people, do you agree?
To a certain extent, you are right. Security testers need to have the hacker mindset, to immediately see weak spots and find ways to circumvent them. To apply that mindset, they also need to know the technical ins and outs of the system they are testing. Those qualities are very difficult to find in a person these days. Fortunately, these can be learned and practiced. That does not mean that a non-specialist cannot do security testing. Simply thinking about what a system should NOT do sometimes already uncovers certain security problems.
What can testers do for themselves to become more security aware?
Well, there are several directions. If you like deeply technical tests, I would recommend to get started with one of the many security test environments that are available. If you like applications, the OWASP Testing Guide is a good start. If you are more into networks and infrastructure, you may want to look at an ethical hacking course or book. If you’re gearing more towards creating test scenarios and analyzing use cases, then you may want to have a look at a process called threat modeling, which is basically a brainstorm to find weaknesses in your system on a level higher than the technical implementation.
For all managers that say that security is important, but not for them, what would be your response?
My question to them would be if they enjoy having such an unimportant job that it does not need security. Most managers will have something to protect, something to prevent, either personally, or as a representative of a company. As soon as you have something to protect, security becomes important. It could be that these managers think that they are too important to be bothered by security. They will have to realize that it is exactly this attitude and carelessness that attackers can abuse and that can make an organization vulnerable. In the end, security is everyone’s responsibility.
What is the best security bug you found (or are you not allowed to share this information?)
Don’t worry, as long as I do not mention the victim’s name, sharing is not a problem. The irony about security bugs is that the ones that create the biggest impression, are also the ones that are the easiest to exploit. I remember very clearly that I was researching an e-banking application, which was using state of the art equipment, digital signatures and what more you can have. On the money transfer form it was possible to select the account from which to transfer. But the account number was not checked, so it was possible to fill in an arbitrary account number, sign the transaction and the money would be transferred from that account. Really easy to execute, really big impact.
You worked on a new framework, the Framework Secure Software, how does it help security testers forward?
One of the core principles of this framework is to make security visible during the whole development lifecycle. Threat modeling is an essential activity in this process. It results in a list of threats against your system, which developers should resolve, and testers should test. So this allows you to create and prioritize your test scenarios according to what you think is more risky. Because the threats are identified early, there is also more time to prepare the tests. And last, but not least, it gives you an idea of the security coverage of your tests, which can increase trust in the system.
What can you tell about the organization behind the FSS?
The Framework Secure Software is maintained by the Secure Software Foundation, which is a public/private initiative in the Netherlands. It started recently and has support from government organizations, private companies and educational organizations. Its mission is to make the world a more secure place by increasing the security awareness in software products, by making it visible to all stakeholders, from end-users to software developers.