Security Basics mailing list archives
Re: Getting the message to Testers
From: security () pablowe net
Date: Wed, 5 Mar 2003 12:50:15 -0500 (EST)
James, I normally give the class to software engineers and DBAs, but it is equally applicable to testers:) Generally, there are a few broad areas to cover that can (and should) be adopted to your specific application. In no particular order... 1) Encryption Depending upon the application, all network transmission should be encrypted. Database to business logic layer, business logic to presentation, etc... This is especially pertinent in web applications, where data traverses the Internet. Have them test at every applicable level. 2) Data Storage Personal information (or information that could get you into legal trouble) should be stored encrypted within the database. In addition to this, security features built into the database should be used and default accounts disabled. Oracle comes with up to thirty (30) default usernames and passwords, some of them with dba privelages. Have them test known exploits etc. 3) Auditing Most (if not all) write operations to the database should be logged. Also, pertinent login information should also be stored. Have them test to make sure that these measures can not reasonably be bypassed. 4) Security Management Many web applications have a separate interface for security management (adding/deleting users, creating roles for RBAC, etc...). It is imperative that this is impenetrable. They should spend extra time doing whatever generic application testing they do on this portion of the site. 5) Access Control Make sure that your RBAC mechanisms are robust and well defined. Have your testers verify that DSOD and SSOD are functioning properly, if implemented. Also have them ensure that role-hierarchies are proper (privelege escalation). Obviously there are more, depending upon the type of application you are trying to develop. As far as password length, retries, etc, see CSC-STD-002-85. Although a little outdated, it contains some good rules for passwords. Hope this helped, Ryan Lowe
Current thread:
- Getting the message to Testers James McGee (Mar 04)
- Re: Getting the message to Testers shawnmer (Mar 05)
- Re: Getting the message to Testers security (Mar 05)
- <Possible follow-ups>
- Re: Getting the message to Testers Scott Schwendinger (Mar 06)