Web Application Security Testing - Start with the Threat Profile.
Posted by John Beale on Tue, Jul 05, 2011
It is undisputed that online applications are increasingly open to attack. The world of eCommerce is highly sensitive to a growing number of crimes, so it is of no surprise to find that many clients demand evidence that critical and sensitive applications are appropriately secure.
There are several means to achieving this assurance, and the more comprehensive the security testing, the more likely it is that the software developer can release the application in confidence.
To ensure the most thorough and comprehensive testing, it is a good idea to start with a Threat Profile. A threat is simply the goal of your adversary. A Threat Profile is a comprehensive list of the threats that are relevant to that application. These are expressed in terms of security threats, ie: access to unauthorised financial information, theft of login credentials, impersonation, etc.
For example - The following is a sample set of threats you may see in a Threat Profile of an Online Data Room Application:
An adversary...
Accesses online data rooms he is not authorised to
Modifies/deletes documents from online data rooms without rights
Escalates his level and accesses documents of a higher level
Downgrades the access level of a document and gives it wider access
Adds fake online data room users with high privileges
Resets the passwords of all users
Escalates a room administrator to group administrator
Adds more online data rooms than is entitled to
Impersonates a room administrator and posts documents
Views Click History of groups he is not authorised to
The advantage of this structured, business-driven approach is that each identified threat is systematically subjected to a variety of tests. Once a vulnerability is established, it can immediately be referred back to a specific threat, and a specific page or function of an application.
The Threat Profile is crucial to the testing procedure and, as such, should be the first task that the Test Engineer will undertake. The Threat Profile should subsequently be approved by the client before a Test Plan is created and executed.
1. Create the Threat Profile
2. Create the Test Plan
3. Perform the Tests
4. Prepare the Report, relating the findings to the threats from the Threat Profile.
The security testing report should clearly demonstrate which threats are exploitable and which are not, relating each vulnerability to a threat. For every vulnerability detected, a solution should be recommended, and the means of its implementation.
Not only is the Threat Profile crucial to the overall completeness of the testing, it is also useful to embrace a more targetted approach; the most realistic threats are tested, as opposed to a barrage of testing such as SQL injection, cross-site scripting, or session hi-jacking.
This saves time and unneccessary expense, as well as ensuring that the true business security impact of the threats are disclosed, rather than simply technical issues. This makes for more meaningful and compelling evidence for stakeholders.