FACING C HALLENGES IN TESTING SOFTWARE SECURITY
By
Mayank Sharma GrapeCity India Private Limited A-15, Sector 62 Noida-201307, U.P. India www.grapecity.com
Facing Challenges in Testing Software Security
Abstract Software piracy and hacking are the biggest threats to prosperity of the IT industry. Professional hackers are always chasing new product releases in order to find their cracks. So, it becomes vital for software organizations to secure their products before releasing them into the target market. The primary goal of implementing security is to prevent piracy, unauthorized access, and willful damage. During the product development cycle, it is essential to ensure the robustness of the security implementation and testing. Thus, test engineers play a major role in preventing piracy and hacking by making testing robust enough to meet its goal. The biggest challenge for test engineers is to ensure that testing done by them is adequate enough, timely, and within budget. This paper will describe the significance of software security, various testing challenges, and measures that test engineers should take in order to make security testing robust. Various challenges faced in security testing will be addressed by emphasizing on seven key steps: ‘reinforce security implementation’, ‘possess required skills’, ‘identify security vulnerability’, ‘do smart planning’, ‘adopt smart techniques to crack’, ‘ensure better usability’, and ‘prevent piracy’. This paper will not only discuss how test engineers can do fool-proof security testing, but also highlight ways by which they can prevent security breaches from occurring.
How Significant is Security? Piracy rate is rapidly increasing every year in all parts of the world. It will be more challenging in times to come due to further geographical diversification of multinationals, increasing offshore outsourcing, and availability of software over the Internet. At the same time, we cannot afford to ignore the fact that the hacker’s community is maturing day-after-day. The importance of security implementation and testing are often overlooked. Neither test engineers pay enough attention, nor do many developers consider the security aspect as an essential element of the software products. The security aspect should be given appropriate importance in the development life cycle.
What Testing Can Do? Lack of focus on security testing can gradually lead to financial damage, which is not immediately visible. It is crucial that test engineers realize the importance of their role in the success and profitability of their organization. Considering this fact, test engineers should ensure the integrity of security and licensing before finally releasing the software in order to prevent the possibility of piracy, willful damage, and unauthorized access. Insufficiently protected software is most prone to attacks; also, less secured systems can further encourage hackers. Testing can be powerful enough to tackle this menace, if test engineers understand enemies, their behavior, and intentions.
Is Security Testing Different? Security testing is much more than just functional verification. Usually, intent of the application or system test engineers is to ensure that the application or system under 1
5th Annual International Software Testing Conference
QAI India
Facing Challenges in Testing Software Security
test is doing what it is supposed to do. However, this does not seem to be the same for security test engineers. They need to detect situations where the system is doing what it is not supposed to do. Security test engineers should also think like hackers and keep themselves aware of the latest hacking techniques. This can be achieved by thinking beyond the conventional testing approach. Besides performing functional testing, they should adopt the latest hacking techniques to break their own product.
Facing Challenges “A stitch in time saves nine”. This phrase stands true to face challenges in security testing. The available time and resources are major constraints for security testing. Hackers use their expertise and spend considerable time to break a system. However, security test engineers have to do a better job than hackers within the available timeframe. They need to ensure integrity of the internal security logic within the black box framework. Also, testing done by them should be adequate enough to defend against future attacks. Subsequently, it becomes essential to devise a practice that can address all the testing challenges. The perfect mix of three fundamentals explained below can very well provide the ability to successfully face testing challenges: •
Adopt the right approach, methodologies, and processes to plan security testing
•
Inherit the required skill-sets and breaking attitude to execute testing
•
Use the appropriate tools and technology to execute testing
Figure 1.0 depicts how all three fundamentals can work together to provide the ability to face challenges. Figure 1.0: Facing Challenges with Three Fundamentals Indeed, this practice is useful not only for security test engineers, but also for all testing professionals. Only the selection of tools and technology may vary from one domain to another. Besides correcting the existing security flaws, it is necessary that the selected practice is capable of preventing them from occurring in the future. While ensuring the robustness of security, one should not compromise with the product’s usability in order to maintain its competitive edge over similar products. Based on three fundamentals - ‘Right Approach’, ‘Required Skills’, and ‘Tools & Technology’, described below are seven key steps that may be helpful to smartly achieve the goals of security testing:
2
5th Annual International Software Testing Conference
QAI India
Facing Challenges in Testing Software Security
Figure 1.1: Seven Key Steps
Reinforce Security Implementation Test engineers should work toward promoting the effectiveness of security implementation. They should make tangible contribution by advocating implementation of security at the early phases of development. After coding and integration, it becomes difficult to assure the robustness of security. For instance, security implementation is inadequate unless developers adopt secure coding practices. Improper usage of data structures can lead to fatal flaws in the final system. Unit and integration testing done by developers is incomplete unless they use the memory leak detection tool. Isolating memory-related defects is very difficult and at the system testing phase. Moreover, it is costlier to correct such defects at a later stage. In order to avoid such eccentricity, it is necessary that test engineers contribute at all stages by testing requirements, design, components, etc. To achieve this goal, test engineers should be well familiar with various ways to strengthen security. Following are some possible approaches to implement security into a system:
3
•
Having electronic licensing for standalone, network-based, and enterprise applications.
•
Having Web-based activation of licenses.
•
Using the industry standard encryption algorithms such as the AES (Rijndael) Advanced Encryption Standard algorithm that is a 128-bit data encryption technique, RSA algorithm developed by RSA Security, Secure Hash algorithm, etc.
•
While using a licensing product from the information security solution provider, ensure that it is robust enough and uses the industry standard encryption algorithm.
•
Using demo and trial licenses in controlled environment.
•
Obfuscating the source code (i.e., function names, variable names, etc.) so that the hackers cannot interpret it on disassembling. Third party obfuscator tools can be used for this purpose. (To know more about Obfuscation, please refer to the “Adopt Smart Techniques to Crack” section).
5th Annual International Software Testing Conference
QAI India
Facing Challenges in Testing Software Security
•
Protecting products with API calls by embedding them into the source code.
•
Creating wrappers for the product’s executables and libraries.
•
Using hardware keys such as the USB keys and dongles to protect applications. Dongle is a hardware key that can be used with either the serial or parallel port of a computer, and helps to protect software applications by providing authentication mechanism.
•
Introducing the anti-debugging feature into the application executable.
Possess Required Skills In order to conduct effective security testing, it is essential to have a “breaking” attitude. At the end of the day, it is not the quantity but the quality of bugs that matters. When asked to test an elevator, a security test engineer will rather target scenarios such as consequences when the weight limit exceeds, behavior when power fails, durability of elevator’s rope, etc., instead of focusing on the basic working. The security test engineers should apply creativity when determining all the possible permutations and combinations. In fact, this is true not only for the security test engineers, but also for all testing professionals. Security test engineers should possess a positive attitude besides having appropriate testing skills. Without thinking about their defined role, they should stay one step ahead in taking initiatives at all levels in order to meet the ultimate goal. For instance, test engineers should continuously test code without waiting for the formal test cycles to identify weak areas and symptoms well in time. If the source code is not available, they should at least try to grasp the design and architecture of the system under test. Most testing professionals do not recognize these tasks as part of their routine role. The next obvious question that may come to anyone’s mind is why one should know things beyond one’s expected role. This reminds me of a situation when a well-known person was passing by a construction site where some masons were working. This person asked a mason what he was doing. The mason replied that he is laying one brick over the other. This person asked another mason the same question. This mason told him that he is building a wall. At a distance, he repeated the same question to another mason working at the same site. This mason had a different answer. He replied that he is building a temple for devotees to worship. The perception of this mason is appreciable due to the fact that he knew his ultimate goal and the noble causes behind it. Similarly, the productivity of the security test engineers will reflect their attitude if they perform testing with the ultimate goal to prevent piracy. The main goal here is to break their own code ahead of time and deal with susceptible areas so that hackers do not get any opportunity to do so. Some other skills that are helpful in breaking the code: • Understanding of the Integrated Development Environment and its utilities, debugging, disassembling, etc. • Familiarity with encryption and decryption mechanism • Knowledge of hacking techniques • In-depth knowledge of target Operating Systems • Familiarity with various utilities for monitoring registry, files, environment variables, etc.
4
5th Annual International Software Testing Conference
QAI India
Facing Challenges in Testing Software Security
•
Scripting knowledge such as Perl also helps a lot in automating/ building own smart utilities
Identify Security Vulnerability To defend the product from possible attacks, its weaknesses must be well known to the developers and test engineers. They must determine which areas of the system are most prone to attacks and defects. To accomplish this, it becomes very important to understand the internal architecture and in-depth behavior of the system under test. To perform fool-proof security testing, it is very essential for test engineers to come out from the closet of conventional functional testing. One should try identifying susceptible areas and behavior of the system from its internal design and logic. For instance, test engineers should try to understand the existing design holes of their system, if any, without confining their mindset to the black-box framework. They may also want to know which encryption algorithm is used to protect the software, and how robust is this algorithm. Some low severity performance issues that are usually Figure 1.2: Trend Curve – Component Stability overlooked may possibly lead to major Versus Releases cracks. Prior knowledge of statistical techniques may help to rapidly analyze previous failures, hack cases, and unstable modules. For instance, a trend curve of the frequent bugprone areas will be useful to identify the most susceptible areas, components, and their respective interfaces. The Trend Curve in Figure 1.2 depicts the number of defects found in various test cycles (i.e., Build 1.0, Build 1.1, Beta 1, RC1, etc. in each quarter) versus the components of a system. The test engineers may prioritize their test strategy such that the weak areas and interfaces are rigorously focused while testing. Now, let’s look at some examples of the possible risk scenarios. If someone is testing a system in a standalone environment, there may be a possibility that the electronic license string can be cracked, license continues to work even after tampering with the machine date, end users are able to view some function names by disassembling the executable, trial software continues to work after the trial period, and so on. If someone is testing a system in a network environment, there may be a possibility that the license server is unable to recover the network-based licensing after break down. Slow performance of the server under particular load condition may drastically slow down the exchange of data between the client and server. In such a situation, hackers can decrypt the desired information using the Sniffing technique. Also, there may be a hole in the response verification between the client and server; this can be exploited by hackers.
5
5th Annual International Software Testing Conference
QAI India
Facing Challenges in Testing Software Security
Do Smart Planning Effective test planning is necessary to successfully face the challenges. One should establish approach depending upon the nature of the system under test, its domain, and the type of security implemented. Figure out the possible scope of testing, i.e., whether to test licensing, integrity of the product’s security, authentication of credentials, etc. Hackers will not have access to the source code and design of the product. In order to think like a hacker, test engineers should similarly mold their mindset. However, Gray Box testing will give them an upper hand. So, they should try to understand the basic architecture, file system, registry settings, etc. Test planning should be prioritized to target weak areas. As discussed earlier, the aim of security testing is not just to validate if all the specified requirements are satisfied; rather, it should be planned so that testing is fool-proof from all perspectives and is capable of minimizing the risk of hacking. The Robust Planning Model in Figure 1.3 depicts how one can achieve robust planning by preparing test strategy that is capable of addressing maximum risk coverage and helps to prioritize the focus of testing based on an understanding of susceptible areas of the system under test. As per this model, the scope of test planning is beyond the black-box framework. Security testing may be viewed as Gray Box testing. Smart approach should be adopted to execute testing. Let us look at an example where one has to test an application on all the supported Operating Systems. In this case, it may be advisable to select the Split Testing technique on various Operating Systems rather than repeating all tests on each OS. One may repeat only the OSdependent test cases on multiple Operating Systems. This technique Figure 1.3: Robust Planning Model may be helpful to achieve more in less time as redundant efforts are eliminated. In order to segregate the OS-dependent test cases, it becomes important to understand how one OS is different from another. For instance, the advantage of Windows XP Pro over Windows XP Home is that it has support for multiple processors and encrypted file system. Test engineers should have thorough knowledge of the target test environment. Adopt techniques such as Incremental and Smoke Testing. Identify Smoke Test criteria to encounter elementary failures during the initial phase of testing. Adopting Incremental Testing may be helpful to test the system at component level so that component-level defects are corrected even before integration happens. This shall reduce the price of non-conformance at an early stage. Sometimes, the components of a system have intermittent behavior and problems that are easy to isolate and correct only at the component level. However, they may hide after integrating various components together. Such random defects often give rise to critical failures at later stages. During
6
5th Annual International Software Testing Conference
QAI India
Facing Challenges in Testing Software Security
system testing, there are several defects marked as ‘Not Reproducible’ by developers and so they often remain neglected. Incremental Testing shall help to minimize such eccentricity. Incremental Testing also provides the ability to understand modular behavior of the system, integrity of individual components, detect memory related issues, and weak areas. It is general perception that component level testing should ideally be done by developers and not test engineers. As a matter of fact, developers are software makers and not breakers. They do not possess a breaking mind-set and holistic view, which are very essential to identifying and rectifying the root causes of critical defects. After integration, it sometimes becomes difficult to eliminate the root cause. During unit testing, developers typically try to prove that their components are meeting all the desired expectations. While test engineers can very well prevent such defects from occurring well in time and build confidence amongst developers. Adopting Incremental testing is not a standard practice in some life cycle models. For improved productivity of the complete development cycle, test managers may work towards molding the development process so that it is able to accommodate Incremental testing. Partially or completely automating functional, regression, and smoke tests may also help to save time over manual testing. The methodologies explained above will optimize testing efforts to a great extent.
Adopt Smart Techniques to Crack In order to ensure that security testing is strong enough to defend against hacking attacks, test engineers should try breaking their own code while testing. This can be achieved by developing test cases based on the most popular hacking techniques. Security test engineers should understand various hacking techniques, and should also keep pace with the latest techniques used by hackers. Besides knowing these techniques, it is equally important to understand how, when, and where to apply them. Explained below are some hacking techniques and their usage in testing:
7
•
Ensure that executables and libraries of the product do not contain debug information, which can be accessed by the end user. This can be tested by using Microsoft’s DUMPBIN utility that comes with Visual C++. This utility allows extracting information from exe, dll, and also the PE format.
•
While testing electronic license, ensure that it always successfully detects time tampering and does not work beyond its expiry. Usually, a test engineer will simply try to roll back the system date/ time after changing it beyond expiry, in order to verify if the license continues to work after tampering of the system date. However, a security test engineer will rather adopt the Diffing technique to validate this behavior. Using this technique, one can very well observe variations on the target machine before and after tampering. With known variations such as change in binaries, libraries, files, etc., one can try to roll back the original settings to verify if tampering is still detected.
•
We can also use the Filemon and Regmon utilities to test if time tampering is properly detected. These utilities allow one to monitor the file system and registry settings of the target machine. One can very well compare the differences of file system and registry settings before and after tampering. Similarly, we can also try to break demo licenses and assess their robustness while testing. 5th Annual International Software Testing Conference
QAI India
Facing Challenges in Testing Software Security
•
For client-server architecture based applications, one can try adopting the Sniffing technique . This technique allows one to attack client-server communication. It becomes possible to monitor the exchange of information (i.e., passwords, usernames, etc.) between the client and server. Brute Force is a method, which allows decrypting the client-server communication and fetches the desired data. Similarly, we may also try decrypting license strings for network-based licenses.
•
Obfuscation is a method to fake internal function names and variable names, so that they are not visible to the end user while disassembling in the debugger. The disassembler tries to interpret source from the object code (binary). We can validate proper obfuscation using the IDAPro utility from DataRescue. Using this utility, we can ensure that disassembly does not showup any internal function names, i.e., none of them are readable from the executable. Similarly for the .NET Framework, we can use the Reflector for .NET decompiler and ILDASM (comes with MSIL Disassember in the .NET Framework SDK). Using these tools, we should not be able to do reverse engineering, i.e., translate the source code from assemblies.
•
Memory leaks are caused due to memory blocks that are allocated but never used. This can cause poor performance and lack of available memory. These issues are very prone to hacking attacks. We must identify memory leaks in the system by running memory leak detection tools such as Bounds Checker or Rational Purify. This will also help to detect memory access problems and runtime errors, besides memory leaks. Doing this exercise during system testing may not be very useful. So, we can very well prevent it from occurring by doing the component level incremental testing. One should be able to perform incremental testing on either release or debug build. Try detecting memory leaks while executing functional test scenarios.
•
A lot of security breaches have occurred due to buffer overflow. Buffer is a memory block to temporarily store data. Buffer overflow occurs when a lot of code or data is stored in a buffer. Access data or code overflows into the adjacent buffers. Defenders exploit buffer overflows by remotely injecting malicious code into the susceptible segments of the product. At this point, the program starts behaving unexpectedly. This can be avoided by writing secure code. Test engineers must influence developers to do so. If they know memory vulnerabilities of their system, they should try writing test cases that involve passing malicious code in order to detect such situations. To prevent and detect buffer overflows, we can possibly use SecureStack from SecureWave on Windows.
Ensure Better Usability So far, we have looked at various ways to implement and test software security. While ensuring robust security, one should keep in mind that it does not restrict flexibility and ease-of-use. The usability of a product is very vital for better market penetration. Security test engineers should perform usability testing to validate that:
8
•
implementation of security is not very complicated to irritate end users
•
security does not restrict features, functionality, and business logic of application 5th Annual International Software Testing Conference
QAI India
Facing Challenges in Testing Software Security
•
perfect balance between security implementation and ease-of-use persists
Prevent Piracy “Prevention is always better than cure.” Security testing should not only focus on breaking the code, but it should also prevent the possibility of piracy. In order to prevent security breaches from occurring, one needs to actively think of security throughout the development process as depicted in the Prevention Wheel Model. Security test engineers must influence developers to adopt secure coding practices. They may also achieve it by making the development process security aware, so that the process is capable of taking care of security holes. We can prevent security breaches from occurring by: • Using robust security solutions provided by world-class information security solution providers • Making security an explicit requirement during the requirements phase • Conducting security reviews to verify secure design and logic before implementation • Testing design for security holes during the design phase for security implementation • Having checklists for secure coding practices • Creating a security task force to conduct Figure 1.4: Prevention Wheel Model reviews, audits, and inspections • Continuously enhance processes in order to take care of security
Conclusion Security testing plays an important role in preventing piracy from occurring. Security testing is done differently from other types of testing. However, not many organizations realize that this needs specialized skills. So, software development businesses around the world would be well advised to pay time and attention to building competency in security testing. Security consciousness is something which should be adopted at the business level.
References Some Useful Tools and Techniques: • •
9
Rational Purify and Bounds Checker can help you detect memory related issues The Brute Force Attack method can help you to extract the encrypted authentication credentials
5th Annual International Software Testing Conference
QAI India
Facing Challenges in Testing Software Security
• • • •
The Microsoft’s DUMPBIN utility comes with Visual C++ Filemon and Regmon can be downloaded from www.sysinternals.com IDAPro can be downloaded from www.datarescue.com Download the Reflector for .NET decompiler from www.aisto.com/roeder/dotnet/
Useful Reading • • •
10
Hack Proofing Your Network by Ryan Russell How to Break Software Security by James A. Whittaker Writing Secure Code by Michael Howard, David LeBlanc
5th Annual International Software Testing Conference
QAI India
