Breaking News

Developing Tests and Rules for Application Security

As technology continues to evolve and more and more consumers interact with businesses online via apps, the biggest question is how can businesses keep their employee and customer information safe?

 

Application testing is a major part of the answer.

What is application testing?

There are many elements that come under the umbrella of application testing, but in general, it is the testing of software to make sure it accurately meets all the design specifications. In addition, it is designed for you to know that it will give you the expected output with a given input. So, for example, when you put two plus three in your calculator app, you would expect the outcome to be five. If it is anything other than that, there is something wrong with the app.

Where does security come in?

Application security testing is a branch of application testing that looks at security-related concerns. As mentioned above, this means you first have to have some definitions prepared to know what to test for. Some questions you may ask yourself when testing for safety include:

  • Can we use the application in a way it wasn’t meant to be used?
  • Can we do things we aren’t authorized to do? An example of this would be, can we use User A’s account to change information in User B’s?
  • Does the application do anything unexpected?

Why organizations should care

If seeing the news stories everyday about large-scale data breaches wasn’t enough to make an enterprise care more about security, not following best practices may be illegal. In addition, the number of cyber-related crimes is going up and is only expected to increase in the future. At this point, not securing your company and data is equivalent to not locking your front door on the way out.

 Developing tests and rules

So what methods do we use to keep our customers’ applications safe? Together, the employees at WhiteHat Security’s Threat Research Center (TRC) and our AI/machine learning software help organizations to develop tests and rules to keep apps safe. Below are the steps we take when examining an app.

 Conducting research 

Any hacker, whether good or bad, needs to be constantly aware of the newest changes in the app ecosystem. Every minute, code everywhere is being updated and deployed. With this, new vulnerabilities and exploits are being found on both sides. To stay on top of the newest threats to cybersecurity, daily research is required.

Developing proof-of-concepts (POCs)

Once a vulnerability or exploit is discovered, you need something reproducible that definitely makes use of the exploit. If only one avenue of the vulnerability is explored, it is almost impossible to completely protect itself. Oftentimes, vulnerabilities will have many implementations and will require many POCs. 

Looking for patterns 

After developing POCs, look for a pattern in the response that is different from the “good” response. By identifying a difference that definitely separates responses that are “safe” versus those that are vulnerable, WhiteHat can create a test to automate that. Unfortunately though, not all tests are so simple, and false positives do happen. This is why our human vulnerability verification team is so important to go over the data and double check.

Testing it

Using all of the research and information we learned from the above steps, the next task is to create a test to use across a variety of applications. When testing, it is imperative to use both secure and insecure apps.

Repeating

Even after completing all of the above steps, there are still several questions to ask. Did we catch all of the vulnerabilities or did some get through? Were there any false positives? If so, we would go back to the testing stage and adjust our initial test or make another one to catch the extras.

Consistently performing reviews

At WhiteHat, we regularly go back and review old tests as well. We ask ourselves a few questions: Has anything changed in the landscape that would prompt us to update our tests? Are any old tests now obsolete due to changing technology? Do any of the tests have high false-positive rates? Our test catalogue needs to be constantly maintained in order to keep presenting high-quality results.

 

Interested in learning more?

Visit https://www.whitehatsec.com/products/static-application-security-testing/

and https://www.whitehatsec.com/products/dynamic-application-security-testing/.

 

Tags: App testing