Chapter 10. Security Testing
Currently there is a false sense of security that exists within the IT industry. With the given state of software today, it is impossible to build web applications that are 100 percent secure. Given enough time, knowledge, and effort someone will be able to find a weak spot (also known as a hole or exploit) and compromise your application. Coming to terms with this realization sooner, rather than later, will help you develop web applications much more defensively.
In my opinion, security testing is the most difficult testing discipline for web applications. Not only do you need to test the code you have written to ensure that it is secure, you must also ensure that all the applications within your operating environment (operating system, web server, programming frameworks) are secure also. The initial learning curve for testing the security of web applications is steep, and the type of "mindset" that is required to try to compromise a system is a difficult role to assume. For this reason, many development shops outsource security assessments and security testing to firms that specialize in this discipline. When security testing is performed by a company that specializes in security, not only do you have experts performing the tests, you also have a third party that comes into the project with no preconceived notions or bias.
However, just because security testing is hard and has a large initial learning curve to get started, doesn't mean you shouldn't learn. Even if your company decides to outsource the security testing, the third party doing the testing will come back with issues and you will need to fix them eventually. Also, with the ever-increasing popularity of security compliance laws such as SOX, HIPPA, Basel, and many more, it's wise to invest time to learn the basics of security testing so you can adhere to these laws.
The fact that it's not a matter of if, but of when a web application will be compromised is not unique to web applications. This is common in many other security industries. In fact, many safes (the lockable box used for storing physical objects) use a rating/certification system designed by Underwriters Laboratories that indicate how long it would take to compromise using hand tools such as lock picks or grinding tools. A Class TL-15 rating would mean that it would take someone roughly 15 minutes to compromise that particular safe, where as a TL-30 rating would take someone 30 minutes.
Testing how secure a web application is can be very subjective. Many developers will run a tool, maybe check a few pages for a few exploits they are aware of, and give their assessment based on that. Other developers might run tests on the exact same web application but come up with totally different assessments as to the security of the web application. This is because security testing relies on the experience and mindset of the tester. There is no tool containing a "Find all security issues" button that will successfully report every security issue in the system. There is no mindless process that can be followed to ensure the system is secure. Security testing requires the tester to be creative to dig into the security risks of a given web application to determine how the system behaves under attacks.
As with Chapter 9 about accessibility testing, it's extremely important to know what to test for, so a good portion of this chapter will be used to educate you on the most popular types of web attacks and how to test for them. Hundreds of books have been published about computer security and it's not our intention to try to summarize them all into the last chapter of this book. With that being said, it is the intention of this chapter to discuss the basics of security testing, tools used for security testing, and common security attacks.
It's also important to mention that many of the techniques shown in this chapter are malicious, and could cause a great deal of damage to systems. Please only perform security assessments on systems in which you have written consent to perform the assessment, and to please be ethical with the knowledge you gain in this chapter.