Re: Getting the message to Testers

[security () pablowe net]

James,

I normally give the class to software engineers and DBAs, but it is
equally applicable to testers:)  Generally, there are a few broad areas to
cover that can (and should) be adopted to your specific application. In no
particular order...

1) Encryption
Depending upon the application, all network transmission should be
encrypted.  Database to business logic layer, business logic to
presentation, etc...  This is especially pertinent in web applications,
where data traverses the Internet.  Have them test at every applicable
level.

2) Data Storage
Personal information (or information that could get you into legal
trouble) should be stored encrypted within the database.  In addition to
this, security features built into the database should be used and default
accounts disabled.  Oracle comes with up to thirty (30) default usernames
and passwords, some of them with dba privelages.  Have them test known
exploits etc.

3) Auditing
Most (if not all) write operations to the database should be logged. 
Also, pertinent login information should also be stored.  Have them test
to make sure that these measures can not reasonably be bypassed.

4) Security Management
Many web applications have a separate interface for security management
(adding/deleting users, creating roles for RBAC, etc...).  It is
imperative that this is impenetrable.  They should spend extra time doing
whatever generic application testing they do on this portion of the site.

5) Access Control
Make sure that your RBAC mechanisms are robust and well defined.  Have
your testers verify that DSOD and SSOD are functioning properly, if
implemented.  Also have them ensure that role-hierarchies are proper
(privelege escalation).

Obviously there are more, depending upon the type of application you are
trying to develop.  As far as password length, retries, etc, see
CSC-STD-002-85.  Although a little outdated, it contains some good rules
for passwords.

Hope this helped,
Ryan Lowe