I’ve heard that security testing should be done throughout the lifecycle, but I don’t understand how you can test for security without an application being in a production environment. Can you explain?
Excellent question! As with all application defects, security defects and vulnerabilities are best fixed in the design phase. So having an experienced security tester involved in requirements and design is important. In this phase, ask questions like, “Can this feature be implemented in a more secure manner?” or “Will personally-identifiable information or protected health information be available to the user?” Poke around the requirements to ensure consideration has been given to authentication and authorization. Ensure logging and auditing are requirements for any time the application changes or a user action can occur which could have legal or financial implications.
During design and implementation, ensure development has considered using varying user roles (can a lower-privileged account be used, instead of an administrative account?). Check to be sure implementation includes common security best-practices such as secure cookies, HTTPOnly cookies, etc. When passwords are used, make sure they’re properly implemented with a hash, rather than stored in the clear in the database. If you have access to security code analysis tools, this is an excellent time to use them -- better to catch a defect the day it’s written than to wait for code complete before it’s discovered.
In the acceptance and functional test phases, you can spend time validating application security. This is where you make sure everything is “tied up” securely. Is authentication implemented on a consistent basis? Are there vulnerabilities in the application? For instance, can unauthorized users bypass login screens and enter an application “behind the front door”? Have .js and .css files been implemented securely, and where appropriate, do they require authentication or authorization? This is the best time to begin scanning HTML source code (if you’re working in a Web application) for common errors such as embedded passwords, developer comments which reveal important security information, hard-coded paths into the application server file system, etc. This is also a good time to validate various configuration states, ensuring SSL is properly required, the correct authentication methods have been configured, and application configuration files like web.config are properly secured. This is a fantastic time to apply OWASP top-ten testing (http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project), both on legacy pages as well as on new functionality as it’s completed.
In essence, your goal during the early lifecycle phases is to ensure the application is designed and implemented in a secure manner. This way you can focus your testing resources on validating the security of the deployment when your application reaches the production environment.
This was first published in February 2011