Basics of Security Testing with SDLC Integration
Cyberpunks break into computer systems to steal, change or destroy information as a form of cyber-terrorism. These persons are sneak enough to take advantage of hidden vulnerabilities of the web application. Thus, it requires security testing. What is Security Testing? Security testing is a process that is performed with the purpose to encounter and expose the flaws in the security mechanism of web/software application. And, while regression to ensure that application is following safety sets to protect itself from loopholes, data breaching, unforeseen actions that can exploit web application or software. The key objective of security testing is to check the vulnerability of the system. And, to verify whether data and resources are secure from potential interlopers. SECURITY TESTING SHOULD COVER THE FOLLOWING KEY ATTRIBUTES: Authentication Establishes the identity of the user. Authentication is a process of validating the person before accessing the system. It grants the user access to the network only if authentication verification is passed. e.g. Q/A, OTP, biometric, Token base RSA secure ID Authorization User should receive a service or perform an action for which he has permission. After Authentication approval the Authorization comes and limit the user as per the permission set. It is usually implemented on Access control list, user role based, user group based and define the permissions & restrictions. Confidentiality Information should be accessible to only those with authorized access. It is to verifying that information and resources are protected from the unauthorized users. The secrecy of information should be maintained at all stages of processing, storage and information display. Availability Information and communication services should be ready any time, as needed. The context of availability is to verify the system is available for valid users whenever required to use except the downtime, security patches or maintenance. For availability, one backup site runs parallel in case of failover with main site. If primary site goes down, then all requests are redirected to backup site. Integrity A measure intended to allow the receiver to determine that the information which it is providing is correct. Integrity is a check to ensure that information received is not being tempered and altered meanwhile transit. And, verify that showed information to end-user is valid as per the user groups, privileges & restrictions. Non-repudiation To validate both sender and receiver as genuine. Monitoring and Tracking who is accessing the systems and which requests were allowed and denied with other details i.e. Timestamp and IP address with source of request. In other words, an acknowledge confirmation for successfully sent and receive of requested services or information received as Digital confirmation e.g. Digital Certificates. Resilience Resilience is to validate the system is resistance enough to handle the threats, it can be implemented using encryption, use OTP (One Time Password), two layer authentication or RSA key token. Why Security Testing • Leads to loss of customer trust • Disruption to online business which impacts on revenue generation • Uncertainty of Website downtime, Time loss and expenditures in recovering from damage (reinstalling services, restoring backups, etc.) • CAPEX for securing web applications • Relevant legal deductions or charges for having loose security standards TYPES OF SECURITY TESTING: There are various types of security testing although as per Open Source Security Testing Methodology Manual below are seven: Vulnerability Scanning This testing is a kind of inspection for potential points of exploits over application, system or network. It is performed through automated software to examine a system against known vulnerability signatures. Security Scanning It includes identifying weakness for network and system, and later provides remediation techniques or solutions for reducing risk and impact area. Performed for both Manual and Automated scanning. Penetration Testing It simulates an authorized attempt to evaluate the security of infrastructure by safe attempts to exploit vulnerabilities of misconfigurations, services, OS and application flaws. This testing involves analysis/gathering information about target system, entry points, Break in / Enter in and security weakness. Risk Assessment It involves assessing the potential hazards observed in the organization or project activity. Risks can be Low, Medium and High. Level defined as per risk involved with the probability of vulnerability occurrences and type of data loss. It recommends benchmark and controls to reduce the chance. Security Auditing It is a regular technical inspection of Infrastructure and Applications to measure how well they are defined against security flaws. An audit includes scans, physical access, OS access controls list, line by line inspection of the code, etc. Ethical Hacking It is performed by company or individual to assist in identifying potential threats over network or system. The user attempts to bypass security method and try to discover the vulnerability with the aim to expose security flaws in the system and exploitation by malicious hackers. Posture Assessment It combines Ethical Hacking, Security Scanning, and Risk Assessments to present an overall security posture of an organization. It helps companies to increase Security posture by validating summary of included assessments. It shows a high level structure of risk, vulnerability, weakness, and info leaks and incorporates best practices/compliance to handle it. Integration of security processes with the SDLC SDLC Phases Security Processes Requirements Security analysis to check abuse/misuse cases and requirement gathering in order to identify compliance and regulatory risks involved with provision of alternatives. Design High level risk assessment on Functional specification. Need to document those functional assumptions and security areas of application. Develop test plan including security tests. Security functional requirement and sec design considerations. Coding and Unit Testing Develop Security controls and secure code, Covering Session management, Authentication and Error handling. Static and Dynamic tools Testing and Security white box testing. Integration Testing Black Box Testing, Security & regress testing, Secure coding, Automated test, threat analysis. System Testing Black Box Testing and Vulnerability scanning Implementation Penetration Testing, Vulnerability Scanning, Secure migration from dev to production Support Impact analysis of Patches
Address key web vulnerabilities during app testing
As a Quality Analyst, bugs and quality are always a concern for the entire project team which has a notable impact on an organization’s business and client’s feedback. To provide excellent quality, the team must understand the core business context with the client requirements. On the other hand, the team should handle their code quality to make it less bug /error prone. There are various kinds of bugs such as functional, syntactic, communication, missing commands, Error handling exceptions, calculations and Control flow bugs. Apart from these, there are some non-functional bugs like performance issues, security concerns, and web app vulnerabilities. An application vulnerability is a weakness or a system flaw in a request which compromises the safety of the application. These flaws and vulnerabilities are used to exploit the application security and determine how to access it. The attacker has the potential to attack via threats and exploit the web vulnerability to facilitate a cyber crime. There are several types of web app vulnerabilities and are not limited to XSS or SQL injection. To make a secure web app, you must be aware of these vulnerabilities. Buffer Overflow A buffer overflow, or “buffer overrun” occurs when more data is placed into a fixed-length buffer than the buffer can handle. Adjacent memory space becomes overwritten and corrupted. As results, usually system crashes, although it increases the possibility for an attacker to run arbitrary code. CRLF Injection Used in HTTP Response Splitting. In the HTTP specification, there is a spec stating that the HTTP header is split from the data portion of the packet. This formatting split is defined by a carriage return and line feed or called a rn. Basically, by injection a rn somewhere in the HTTP header you can split an HTTP packet into two different packets. One packet will have the malicious payload, while the other packet holds the valid information. And this leads to proxy /web server cache poisoning, XSS, client web browser poisoning, website defacement and hijacking client session. Cross-Site Request Forgery (CSRF) CSRF is an attack through which a malicious site will send a request to the web application in which a user is already authenticated against a different website. In this manner, an attacker can access functionality at target web application via the victim’s already authenticated browser. Victim targets include web applications like in-browser email clients, social media, online banking and web interfaces for network devices. Cross-Site Scripting An XSS vulnerability occurs when the web applications take data from users as input and dynamically include it in web pages without properly sanitizing or validating the data. XSS vulnerabilities allow an attacker to execute capricious commands and display capricious results in a victim’s browser. These scripts embedded in a page that is executed on the client-side (in the user’s web browser) rather than on the server-side. XSS is a threat which is bought from the internet security flaw of client-side scripting languages, like HTML and JavaScript. In such a case victim is the application user and not the application, malicious content is delivered to users using JavaScript. And, malicious code executes for victim session to bypass necessary security restrictions. Directory Traversal It is a kind of HTTP exploit that is performed by attackers to acquire unauthorized access to restricted directories and files. Directory traversal, also known as path traversal. Directory traversal attacks target web server software to exploit weak security mechanisms and access directories and files stored outside of the webroot folder. There are two security mechanisms that web servers use to restrict user access: root directory and Access Control Lists (ACLs). Insufficient Transport Layer Protection Defined Insufficient Transport Layer Protection is a security weakness caused by applications due to not following any standards to protect network traffic. Meanwhile authentication, applications may use SSL/TLS, but they mostly fail to apply it, elsewhere in the application, thereby leaving data and session IDs exposed. Exposed data and session IDs can be intercepted, which means the application is vulnerable to exploit. Lightweight Directory Access Protocol (LDAP) Injection LDAP is a widely used open standard protocol for both querying and manipulating information directories. The LDAP protocol runs over Internet transport protocols, such as TCP. Web applications use the user-supplied input to create custom LDAP statements for dynamic web page requests. LDAP injection is the technique of exploiting web applications that use client-supplied data in LDAP statements without first stripping potentially bad characters from the request. SQL Injection SQL injection is a type of web application security vulnerability in which an attacker can submit a database SQL command, which is executed by a web application, exposing the back-end database. Injected SQL commands can alter SQL statement and compromise the security of a web application. SQL injection weaknesses occur when an application uses untrusted data, such as data entered into web form fields, as part of a database query. When an application fails to properly sanitize this untrusted data before adding it to a SQL query, an attacker can include their SQL commands which the database will execute.
How to publish your application on Google Play Store – Part 1
With the rising use of mobile apps, everyday thousands of applications are developed. For the developers, the next best step after design, implementation, testing and debugging, is to quickly upload it on App Store, BlackBerry World and Google Play Store. I will share the steps that will help you publish your application on Google Play Store easily and quickly. But before that, we need to generate Zipaligned APK to be published. Here are the steps to it – Publish with generating key Zipaligned: Android developers who have created, designed, developed, tested their application using Eclipse framework can create zip aligned apk to put it on Google Play. Select the app project and right click on it. 2.Select Android Tools -> Export Signed Application Package. 3.Enter the project name. 4. Create a new key store. 5. Give the password and confirm it. Click Next. 6. Fill up the key creation form and click Next 7. Select the destination apk file and browse the location. 8. After selecting the location, click on Finish button. Publish the app with the generated key to zipalign it: Right click on the selected project. 2.Choose Android Tools -> Export Signed Application Package. 3. Select the project name. Click Next. 4. Use the existing location for generated keystore and enter password. Click Next. 5.Select an Alias name of project and enter the password. Click on Next. 6. Select the location for saving the generated .apk. 7. Click on Finish. The APK is now ready to be published on Google Play. You can see Part 2 of the blog to know how to publish the APK on Google Play.
How to enable HTTPS access for WCF RESTful Service
In one of my projects, I have developed a WCF service and hosted it on Azure. I was required to create the service RESTful and call it from inside a SharePoint online app; for which, I added the required service configuration in the web.config file. For creating the RESTful service, we need to use WebHttpBinding for specifying service endpoint and define the endpoint behavior. Here’s the configuration that I have added: <services> <service name=”MyRestService.Service1″ behaviorConfiguration=”ServiceBehavior”> <endpoint address=”” binding=”webHttpBinding” contract=” MyRestService.I Service1″ behaviorConfiguration=”web”></endpoint> </service> </services> <endpointBehaviors> <behavior name=”web”> <webHttp/> </behavior> </endpointBehaviors> Adding this allows accessing my service using RESTful API calls over HTTP access. But, when I tried calling my service from inside the SharePoint online app, it showed the below error: “The app… was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint…. The request has been blocked; the content must be served over HTTPS.” And then I knew that the service should be secure to be accessible over HTTPS. To secure the custom domain name with HTTPS, it requires binding a custom SSL certificate to the custom domain in Azure. This can also be done through simple configuration changes in the web.config file. To make the RESTful service accessible over HTTPS, I added the following configuration: First, it is needed to add a WebHttpBinding configuration with security mode set to ‘Transport’ as below: <services> <service name=”MyRestService.Service1″ behaviorConfiguration=”ServiceBehavior”> <endpoint address=”” binding=”webHttpBinding” contract=” MyRestService.I Service1″ bindingConfiguration=”webBinding” behaviorConfiguration=”web”></endpoint> </service> </services> <bindings> <webHttpBinding> <binding name=”webBinding”> <security mode=”Transport”> </security> </binding> </webHttpBinding> </bindings> And then, it required assigning this WebHttpBinding configuration to Service Endpoint binding with httpsGetEnabled set to ‘true’ <behaviors> <serviceBehaviors> <behavior name=”ServiceBehavior”> <serviceMetadata httpGetEnabled=”true” httpsGetEnabled=”true”/> </behavior> </serviceBehaviors> <endpointBehaviors> <behavior name=”web”> <webHttp/> </behavior> </endpointBehaviors> </behaviors> After adding these configuration settings, I was able to call my service from inside the SharePoint online app using HTTPS access. With the above configuration, the service will be accessible over HTTP and HTTPS both. If you want to disable HTTP access, and allow the service accessible with HTTPS only, then you can set httpGetEnabled to ‘false’ in the ServicerBehavior settings.
Ensure effective agile development with devops
To keep pace with speed, quality and reliability of applications during complete development life cycle, organizations are facing various challenges including changing user requirements, testing delays, lack of business ownership, poor requirements gathering, lack of resources, changed business priorities, and many more. DevOps is a set of practices that enables improved communication and collaboration between operations and development teams. Organizations are rapidly moving towards DevOps to satisfy the growing market needs and becoming more agile. It helps organizations achieve several business and technical objectives, which are shown in the presentation below:
Single Sign-On (SSO) implementation in ASP.NET MVC
To start with any secured web application, the developer needs to work on the implementation of the authentication functionality. If any user needs to enter into multiple secured web application on same domain in .NET framework, he needs to login through each of those applications. Logging in a number of times can be avoided with Single Sign On (SSO) functionality. [ Learn about AdVanced an leading enterprise intranet portal and collaboration platform for your organization at Office 365 Intranet ]. SSO is a functionality that allows to login once and access multiple web applications with same credentials. For example – once the user enters a user name and password on Gmail, he will be able to access Google’s other web application like Google Plus, YouTube, Play store, etc., with same credentials without logging in again. MORE INTERESTING READS: MAJOR CONCERNS FOR CLOUD COMPUTING IN RESPECT OF OFFICE 365 O365 VS GSUITE – WHICH IS BEST FOR YOUR BUSINESS? How SSO works: When a user runs a page in an application that requires user base authentication, the application searches for a cookie (forms authentication cookie) in the http request, if it does not find the cookie, it redirects the current page to the login page. When a user enters valid credentials and click “Login” button, the system validates the credentials in data storage and set the credentials in Thread.CurrentPrincipal.Identity.Name property in .NET framework, and create a cookie in Response, and redirects to the requested page. If a user navigates to another page of the application, then browser sends the authentication cookie as it already has the cookie from the last response. The browser when gets the cookie, validates the cookie properties; if the cookie is not expired, then the browser will fetch the required information from the cookie and set the user name into the Thread.CurrentPrincipal.Identity.Name property in .NET framework. Implement SSO in MVC: Here we see the steps to implement SSO in MVC Application using .NET 1. Open visual studio, create three blank applications (SingleSignOn, ApplciationA & ApplicationB). SingleSignOn application is for login functionality and ApplicationA and ApplicationB are secured web applications. 2. The solution will look something like below: 3. Add a AccountController in SingleSignOn, It will contain the login functionality code. 4. Write login code or simple forms authentication code in the AccountController as below: public class AccountController : Controller { // GET: Account public ActionResult Login(string returnUrl) { if (Request.IsAuthenticated) { return RedirectToAction(“Index”, “Home”); } ViewBag.ReturnUrl = returnUrl; return View(); } [AllowAnonymous] [HttpPost] [ValidateAntiForgeryToken] public ActionResult Login(string userName, string password, string returnUrl) { if (FormsAuthentication.Authenticate(userName, password)) { FormsAuthentication.SetAuthCookie(userName, false); if (!string.IsNullOrEmpty(returnUrl)){ return Redirect(returnUrl); } else{ return RedirectToAction(“Index”, “Home”); } } else { ModelState.AddModelError(string.Empty, “Invalid Login Detials”); ViewBag.ReturnUrl = returnUrl; return View(); } } } FormsAuthentication.Authenticate method will check the credentials and authenticate whether user name and password are correct or not. We can also validate username and password from SQL Server database or from any other Data Source @Html.LabelForModel(“Password”) @Html.Password(“Password”) Admin Advaiya Solutions Inc Udaipur, Rajasthan, India TALK TO OUR EXPERT!
Benefits of cloud based load testing
Standard on-premise testing can no longer provide the required level of performance surety essential to compete in the current global marketplace. Cloud based testing tool can be leveraged to evaluate the performance of the application from any geographical location. The performance tests can be run with the load generators/agents across any location with hundreds of thousands of users. Cloud based load testing gives you complete load testing flexibility in both development and production environment. Tests can be conducted quickly and continuously with real-time insights of end-to-end performance. It helps in determining how fast some aspects of a system work under a particular workload regarding responsiveness and stability. Below are some of the several benefits of cloud based load tests that enable thorough testing of business-critical applications without breaking the bank. Ease to use: All you need to get started is a Team Foundation Service account. You can simply connect to this account from Visual Studio and get started instantly, without any pre-requisites. On-demand scalability: This property allows to increase or decrease the user load/test load to configure as per the production requirements, whether from 1000 to 5000 users or from 5000 to 50 users. Such scalability enables you to measure the actual performance of the application and allows you to create a replica of the production environment. Same tests work on-premises and on the cloud: All tests you have authored on-premises -load tests, declarative web performance tests, coded web tests or unit tests, can be run on the cloud. Real world condition and load: It covers all ideal conditions for testing behind firewall, third side traffic, disconnection and DNS errors, which you can never find after deploying your application on a live production server. It also covers other values as response time, throughput, and average page time, among others. Cloud testing makes use of cloud-computing resources in order to simulate real users who come directly from the Internet. Save capex or space: It reduces the capital expenditure with the following added advantages: No need to buy new hardware; same hardware can be used. No support engineer needed for hardware. Most enterprises have made significant investments in data center infrastructure, which directly impacts the capex. Thus, the cloud is a better approach to save capex. Save time: It involves fewer efforts and thus saves time. Agility: Cloud testing allows you to run tests from anywhere. This allows flexibility in scheduling task and reducing the risk of failure as it provides the testing environment up to the breakdown points. Get deeper insights about performance: You can get complete server and client diagnostics when you simulate real-time load patterns for your application. Free load testing: Cloud based testing using Visual Studio allows 20,000 virtual user minutes per month to load test at no extra charge.
How to publish your application on Google Play Store – Part 2
Upload app to play store In the previous blog we saw the steps to generate Zipaligned APK. Here we will understand the steps to upload the developed mobile app on Google Play Store. To start with, the developer has to pay for Google Play Developer registration and then follow the below steps to publish APK on Google Play: Go to the link: https://play.google.com/apps/publish/ Register for a Publisher Account Enter the Gmail account of the developer. To sign up, go to this link – https://play.google.com/apps/publish/signup/ . Select the ‘I agree…’ checkbox and click on Continue to payment button. Enter your details and fill up the form. Make sure you have your credit card handy to pay the $25 registration fee in the next step. Set up a Google Wallet Merchant Account Prepare to Publish Publishing in Google Play can be a lot easier if you have completed all of the store listing content before you start. Thus, when publishing your app, you can look at the items you should have available from the Google Play Developer Console. Explore the Developer Console Click on ‘Add a new application’ from the top-right button. Fill the details. Click on Upload APK. You will get the below window. Click on Upload your first APK to Production. Browse your zip aligned APK. In the below window, fill in the following details. Scroll down and add the graphic assets with screenshots. Fill in the required details. Now click on Content Rating. For taking the questionnaire, click on Continue button. Now go to Pricing and Distribution: For publishing, select PaidFree app option. If your app is the paid one, then you first need to set up a merchant account. You have to select the number of countries where you want to distribute your app. Now in the In-app Products tab: You can sell in-app products and subscriptions using Google Play In-app Billing as a way to monetize your apps. Perform the following steps: Create product lists for in-app products and subscriptions. Set prices. Publish products with the app or withdraw obsolete products. To find the details for implementing In-app Billing, see the In-app Billing developer documentation. You can make use of in-app products in the Premium, Freemium, and Subscription monetization models. Go to Services and APIS. Go to Optimize tips. Click on ‘Submit Update’ button on the top right corner and then click on Publish App button.
How to integrate Entity Framework with Oracle
Have you been looking for a solution to connect Entity Framework and Oracle? In this blog post, I will show how to integrate Entity Framework 6 with Oracle database, through a step by step implementation. Let’s begin. Start a new project Before adding a new project, you need to install ODP.NET and ODAC from here. Install 64-bit ODAC 12c Release 3 (12.1.0.2.1) for Windows x64. This will work for visual studio 2013. After installing, run the setup once and restart your system. Then follow the below steps: Open Visual Studio 2013 and add a project. Add Entity Data Model by right clicking on the project in the solution explorer – Add -> click New Item and select ADO.NET Entity Data Model from the popup. Click Add button. Entity Data Model Wizard opens with four options to select. We will focus on the database-first approach, so select EF Designer from database option and click Next. You can choose from your existing DB Connections or create a new connection by clicking the New Connection button. This will also add a connection string to your app.config file with default suffix as database name. Click Next after you set up your database connection. Now when you will click on Next, it will give an error as below: To resolve this error, we need to add Oracle 12c version by NuGet packages and search oracle. Right click on Project ->Manage Nuget Packages ->Browse for Oracle then add the following. After installing the oracle 12c, the above error is resolved. Then you can add the entity framework and include all the tables as desired. After clicking on Finish, an edmx file will be added into your project. EDM also adds a connection string in the app.config file. Conclusion Configuring Entity Framework 6 to work with Oracle database is now doable. In earlier versions, Nuget Manager Installation was not available, but now it is available and working successfully. In in my next blog, I will be talking about Entity framework configuration management and deployment with Oracle database. Stay tuned for more.