After successful unit and integration testing as part of the development cycle, the testers should already have completed their test cases and been exposed to development builds of the code. Now the testers will execute all functional and nonfunctional test cases. In particular, we will pay close attention to the security testing team. This team has the responsibility for performing security testing of the system, both white box and black box testing. Like our developers, these security testers will be hand-picked, dedicated to the security testing, and appropriately trained and mentored. White Box TestingThe white box test team will perform white box or full knowledge testing of the system. They will examine the code, the configuration, and the environment for potential security vulnerabilities. They will make use of a variety of tools such as source code analyzers and debuggers to perform automated source code analysis, probing for security vulnerabilities. Black Box TestingIn parallel to white box testing, a team of testers needs to be dedicated for black box or zero knowledge testing. These testers do not get to see the code or the configuration. They approach the application as a hacker would, probing for weaknesses to exploit using a variety of techniques and tools. There is a multitude of such tools out there, including the infamous SATAN (Security Administrator Tool for Analyzing Networks). These tools help probe the perimeter security, the host environment, and the application layers. For our use case scenario, we used different tools to scan for network vulnerabilities that allow scanning our host and the application itself. The type of tool depends upon the type of testing. You can find anything from freeware port scanners to high-end enterprise tools with integrated reporting capabilities. The decision on which tools to use depends on how much you are willing to spend, how often they will be used, and the knowledge of the tool possessed by the test team. Table 14-5 is a brief list of various black box tools for probing hosts, networks, and applications.
Our black box testing revealed an input parameter attack on our rewards payment page. This vulnerability opens up the application to a cross-site scripting attack. This was sent back to the designer who analyzed the risk and decided to have one of the security developers make a fix. The security developer was able to quickly implement a fix by updating the Intercepting Validator's validation rules. Once it was unit tested, it was sent back to testing. Further testing revealed no significant holes and therefore turned the code over for deployment. |