As more and more organizations are pivoting towards having online presence or transforming into a digital organization, the need to have secure online application is becoming more of a necessity now. Gone are the days when security testing was an afterthought. Now it is baked into the test plan and test schedule.
Traditionally, security testing requires specialized skills which comes through degree and certification. Organizations normally engage a vendor to carry out penetration testing.
So can some form of security testing be carried out without specialized knowledge, certification and tool set?
It is a valid question and my opinion is: yes, it can be done.
While organizations will still need to engage vendor for penetration testing, a range of tests that validate the security of the solution can be carried out in-house.
While I cannot divulge the exact steps for carrying these tests, a general idea can be presented around what type of tests we can run to validate security of an online application.
- Does it have the necessary strength and mixture of alphanumeric and special characters?
- Does it consider password aging?
- Does it consider account lockout for repeated failed attempt?
- Is there any visual clue to the strength of the password?
- Does it provide a mechanism such as Captcha to ensure that the user is a human and not a bot?
- Does the application allow multiple concurrent sessions?
- Is there a session timeout?
- Are session tokens destroyed upon logout?
- Can you view or reuse session tokens?
- Are cookies stored beyond the session?
- Are cookies destroyed once the application is closed?
- Can you reuse the cookies for unauthorized access of the application?
- Can you use bookmarks to open an internal page without login?
- Does bookmark allow you to login automatically?
- Can you see the application version and other details from bookmarks?
- Are transaction details stored in the server logs?
- Can you use the logs to identify a particular session at a particular time for troubleshooting purpose?
- Are the server logs encrypted?
- Can you easily identify the server log paths and is this easily accessible?
- Can you inspect an element on the application and find details about it on the browser?
- Can you find session details and tokens and other customer details related information from the browser (in developer mode)?
- Can you download and use free tools to capture the network traffic?
- Can you view the captured packets to extract plaintext information about the customer or the application?
- Is it possible to use tools such as the browser developer mode or other API tools to look into session details or maybe modify the session details to download invoices and other reports for unauthorized customers?
- Is it possible to view customers details in free API tools and then modify them to gain access to other customer details?
A lot of these tests will find vulnerabilities that will be detected by Penetration Testing. Carrying out these tests do not require certification or specialized tools/knowledge. Any manual tester with some technical knowledge can be taught how to run these tests.
At the end of the day, running these tests mean that there will be fewer vulnerabilities detected by penetration testing and your organization will get a sense of security from this multi-layered approach.