User talk:Raghavendra Rao PV

From OWASP
Jump to: navigation, search

--Raghavendra Rao PV 03:59, 26 September 2012 (UTC)

1. Security Testing - An Overview

Developers are under strict timelines to complete the project. Hence developers concentrate more on the development activities than implementing security features in the application.

Testers concentrate more on the functional testing aspects and are less aware of testing applications specific to security controls.

Information Technology industry required a new breed of testers who could identify the security threats in their application and assist them in overcoming the security threats. Some of the skilled people enhanced their testing knowledge and concentrated more towards the security aspects. This group of skilled testers were coined as Security Testers/Advisors/Consultants/Experts.

Security Testing in the recent past has been considered as one of the critical stages of Software Development Life Cycle [SDLC] and Customers/Organizations/Clients/Vendors are insisting the Software Development Organizations to conduct a thorough round of security tests on their applications and comply to a Industry Standard. The Industry Standard is either:

    1. Custom: Defined by the requesting Organization -or-
    2. Public: As per the Software Development Organization or any Open Source Industry Standard.

Industry Standards/Guidelines play an important role in addressing the Confidentiality, Integrity and Availability [CIA] of information to the right person at the right time.

2. Security Testing - The Beginning

Data or information can be globally accessed by individuals through the Internet. Depending on the criticality levels, data may be classified as: Critical, Highly Confidential, Confidential or Public. Such data/information residing at the servers will be managed by an Administrator or a group of administrators.

Web Applications designed and developed by an organization too serves a similar purpose and data classification approach.

    1. Showcase the capabilities of the organization
    2. Grant access to internal users/employees
    3. Grant access to external users/customers

Customers/Organizations are at a constant risk of their sensitive data being exploited by unwanted users. Such users pose a threat to organizations by identifying loopholes/vulnerabilities in the web applications and exposing these vulnerabilities on the Internet. Doing so will bring down the reputation of these organizations in the show business. Hence to summarize, the major risks associated by showcasing an organizations information on the Internet can be considered to be:

    1. Threat of misuse by individuals
    2. Reputation of the organization

There came an urge to protect sensitive information from being disclosed out in the public via Internet. Individuals/Customers/Clients/Organizations started demanding the development community to build them SECURE softwares to overcome the already existing list of attack scenarios. Developers had to incorporate security controls while developing any software. Since most of the developers are unaware of security consequences nor given on the job training's for building a secure software, there came a specialized group of Testers/Analysts/Consultants/Experts whose major role in the Organization is to identify security loopholes in the software and assist the developers in fixing them.

--Raghavendra Rao PV (talk) 04:44, 24 January 2014 (CST)

3. Need for Security Testing

Security Testing was once considered as an add-on or an additional team for approval before moving the application to Production environment. Applications which lacked security controls were the soft-targets for unintended users/hackers.

    There exist various types of Hackers:
         1. Black Hat
         2. White Hat
         3. Gray Hat
         4. Suicide Hackers

These hackers identified various security loopholes in such applications and started gathering sensitive information relating to the application Customers/Users which includes their Personal Information (Name, Address, Date of Birth, PAN, etc.) and any financial information (depending on the type of information stored by the application). Such incidents when made public by these hackers, had an adverse effect on these application owners/developers/hosting parties.

Members of Security Team across the globe, from various Non-Profitable Organisations [NTOs] stepped forward and formed different forums to educate Application Owners/Developers/Hosting parties the need for Security Testing. Some of the forums include:

    a. OWASP
    b. CVE
    c. PCI-DSS
    d. HIPPA
    e. NIST
    f. and so on.

--Raghavendra Rao PV (talk) 07:32, 07 January 2015 (CST)

4. Domain Specific Industry Standards

Various Domain specific Industry Standards exist which helps Organizations choose.

Following are the list of Domain to Industry Standard mapping which can be considered:

         1. HealthCare: Health Insurance Portability and Accountability Act (HIPPA)
         2. Banking Financial Institutes and Services (BFSI): Payment Card Industry - Data Security Standards (PCI-DSS)
         3. Investors Protection: Sarbanes Oxley Act (SOX)

On a need basis, Organizations can opt the following:

         1. OWASP Top Ten Vulnerabilities or
         2. SANS Top 25 Programming Errors

5. Current Trend

         Writers Note: In the recent past, I received calls from Organizations who are interested in my 'Security Testing Framework'
          and want to develop a similar framework in their Organization / Practice.

With the recent trend, seems like Organizations are willing to invest on Security Advisors who have a quality development experience and who can develop a security framework which identifies vulnerabilities based on custom-defined Perl Scripts. The strategy could be to eliminate the use of Commercial tools (thus saving huge amount on the tool license cost) or other open source tools and to attract Customers with custom-built security testing frameworks.

Information Security

1. Security Terminologies

1. Vulnerability: A weakness or a loophole that can be exploited by one or more threats 2. Threat: Potential cause of an incident due to a weakness or loophole that may result in harm to a system or Organization 3. Risk: Potential result an threat exploiting a vulnerability 4. Attack: A successful exploit of an vulnerability leading to loss of Confidentiality, Integrity and Availability

a. Data: Is a collection of characters and numbers. Also termed as Raw data. For example: 4528-6547-6547

b. Information: Meaningful data, processed data. For example: 4528-6547-6547 is your Credit card number

c. Information Security: The art of securing your data such that no sensitive information is disclosed to unintended users

2. Vulnerability Identification

There exists various Products, Vendors, Service Providers who identify security vulnerabilities in our Softwares/applications/products. Automated tools undoubtedly simulates the attack pattern to identify multiple occurrences of security issues and help reduce the manual effort. Manual security reviews compliment the automated tool findings by understanding the Business needs, Organization policies and identifying only the relevant security issues.

3. Vulnerability Reporting

Automated tools play a very crucial role in reporting the identified vulnerabilities. They provide an insight about the vulnerability, the exact line number or field name or parameter where the vulnerability was reported and relevant Industry Standard fix recommendations. These tools are a enormous repository of vulnerability and fix recommendations which assists the Management and the Developer community to understand about the vulnerability and the steps to be considered while fixing them.

A Security experts intervention is again required to provide relevant fix recommendations that will help the Development Teams to secure the reported vulnerability in-line with the Organizations security policy and keeping in mind the Business requirements outlined by their respective Clients/Customers.

4. Vulnerability Management

Identifying and reporting vulnerabilities is one part of the job, however the main intention of Vulnerability Identification and Reporting is to fix the vulnerabilities. Each identified vulnerability must be tracked to closure. Various Industry Standards and Compliance recommend Organizations to implement a vulnerability management process. Most of the Organizations even abide by such Compliance by maintaining their own process, however as per my personal experience in the Industry, I am yet to find One common Vulnerability Management tool used world-wide across Organizations, until SecureFirst Solutions Private Limited came up with an Enterprise Security Cloud based Vulnerability Management System (VMS).