Say No to Hotfixes: How To Implement Security in the Development Process
A security expert from NIX United explains why it is important to implement security from the first step of software development.
Join the DZone community and get the full member experience.Join For Free
I am Viktoriya Hranenko, Security Automation Engineer at NIX United. I started at the company as General QA, simultaneously performing manual and automated testing tasks. My responsibilities did not include security tasks. However, while testing the application on the previous project, I brought attention to some cases that we never fixed. This was not our area of responsibility, and there were no specialists among us who could assess the criticality of these finds. Some of the security incidents were awaiting the appearance of a penetration tester.
But if we want to create a great quality product, shouldn't we start by making it reliable? In addition, today almost all applications for registration forms fall under the law "On personal data protection" following the legislation of the country where the product is distributed. In my opinion, the security check should not be carried out in the final testing stage before the release.
Eventually, I became even more interested in security. Moreover, I have always liked process automation. At some point, testing in our project ceased to be only infinite regression. Acceleration of processes has become our priority task. That’s when I decided to focus on optimizing processes and automating routine tasks. Later I got the chance to combine both my interests in another project. Thus, security tasks were added to my direct responsibilities, and it has been a year since I have been automating the findings of the security team.
In this article, you will learn what security experts do and what standards they use to help a tester become a security champion.
Who Can Become a Security Champion?
Any specialist interested in safety
It seems pretty common for participants of the development process to become evangelists of security practices and methodologies.
There is a shortage of security specialists in the world. But some people are interested in security challenges along with their usual responsibilities. These experts are genuine champions in the security industry. They shape a security culture that enables developers to create secure applications.
The security champion knows everything about the inner workings of a project. He has survived sleepless nights and missed deadlines, and is not afraid to go off the beaten path in search of the right solution. The expert consults colleagues, implements security standards and guidelines in his organization or the customer's project, directs the team's focus on security-related activities. He is a kind of "bridge" between the security team and the development team. By wanting to learn a little more and taking the initiative, everyone can become a champion in this area.
Why Does the Tester Even Bother With Security Problems?
Architectural solutions are often outsourced to developers, and they come to security testing at the last stage of preparation for release. As a result of testing, many defects are detected. But when the application is already in "security holes," no matter what we do, we will not get a high-grade product. You will have to rearrange the entire application, which does not guarantee quality.
Therefore, the tagline of all security experts is: “Security is a process that continues even at the production stage.”
It is important to constantly monitor whether the system is being attacked and what is the plan to respond to these attacks. Otherwise, there can be dire consequences.
A security champion is, first and foremost, about taking the initiative. Understand security requirements and customer expectations, and collaborate on how to incorporate security into the future development process. The initiator of such a conversation can be a QA, Product Owner, project manager, business analyst, architect, or technical lead. For existing products that are already in development, it is worth incorporating security testing as soon as possible.
How To Integrate Security Into the Development Process
It is important to be guided by internationally recognized safety standards. Among them, there are two types:
Technical standards or control standards, describing various aspects of the implementation of security measures (OWASP 10, CIS Control, CIS Benchmarks, NIST SP 800-XX, used as the basis for the legislative framework on information security in the United States). Most frequently, they are the basis for the strategies of companies developing software.
Process-oriented standards, describing an approach to building processes and shaping information security in general (ISO/IEC 27001: 2013, ITIL guidelines, COBIT methodology).
Our team at NIX United, like many others around the world, follows Agile. This Agile methodology defines the values and principles that guide teams. Following a similar principle, Microsoft has created a canonical model for introducing security processes into the software development cycle: Secure SDLC. Various offshoots have developed from it. All of them are based on the security strategy adopted by this or that organization. Let's consider all the stages in more detail.
This is the first required step before starting development. When everything seems clear, before the start of work, the development team should familiarize themselves with safety standards and then ensure it. However, security is something fleeting. In this area, trends are rapidly changing, something new appears every year. In order for employees to be on a par with the world community, it is necessary to regularly conduct such training seminars. Security training includes not only standards for how to develop secure software but also various ways to ensure security in an organization (for example, building passes, network security).
At this stage, the security requirements for the product are established. They relate to the latest trends in the field of security and are based on the legislative framework of the country where the product will be introduced and distributed. Also, at this stage, a project/product security strategy is shaped, and it is decided by what means the security check will be carried out before deployment to higher levels of the application (if such are planned). This allows you to avoid vulnerabilities in advance.
This is where you can simulate threats to your application by:
Gathering a security team, application architect, and product owner
The security specialist presenting possible threat options, while the product owner and architect block measures that can close these security flaws.
At this stage, the effectiveness of closing the selected attack surfaces is assessed. This is followed by direct security testing.
This is the stage for penetration testing. Simply put, penetration testing is an assessment of the security of a system, network, and software by simulating an attacker. The expert tests the application, network, and infrastructure and looks at the product from a BlackBox testing perspective. Besides basic knowledge of web applications and Windows and Linux operating systems, as well as knowledge of Cisco networks, for effective penetration testing it is important to understand cyberinfrastructure, cross-platform privilege escalation, attacks on network infrastructure, reverse engineering, and malware analysis. All of this will help you prepare for safety certification and gain the achievement of today's expert.
It is important to note: penetration testing must be carried out at the project manager’s request. When testing an application for security issues, various scanners are launched to collect information. The most popular programs are OWASP ZAP and Burp Suite. They allow you to attack the application based on the received data. When carrying out attacks, large resources can be used, because attackers may set very different goals. Therefore, it is important to check not only data protection but also the reliability of the system under load. In such cases, it is imperative that the development team is aware of security testing. Otherwise, incidents may arise.
During the final stage, it is important to monitor whether the application is being attacked and analyze security reports.
Add These Vulnerabilities to Your Testing Checklist
There is an international non-profit organization dedicated to web application security named OWASP. It provides a ton of resources for testers - from security guides to free sandboxes - where you can legally test the application and understand the attacker's train of thought.
The OWASP team releases the top 10 most common vulnerabilities every four to five years. The latest release of OWASP API Top-10 was in 2019.
With the development of the microservice architecture of applications, the problem of unsecured API requests is becoming ever more urgent. There are greater chances of making mistakes.
In addition, the popularity of the DevOps culture, cloud storage, and smart devices create a huge number of loopholes for attackers. In order not to miss the moments related to the development of technologies, they were included in the separate list of the OWASP API Top-10. It elaborates on the attack vectors for APIs and solutions to help prevent them.
From the OWASP list, I want to highlight five key vulnerabilities. In my humble opinion, these scripts should be included in every application verification checklist
Incorrect Authorization at the Object Level
In this situation, the attacker uses IDs of resources that belong to other users. If the authorization checks are not performed properly, the hacker will gain access to the data. How can you check it? If we have a user with a specific ID - for example, userID, logged in as a different user - we can send a request by substituting the userID parameter in the URL or by specifying the userID in the payload. Then we look at what we got in the end. Ideally, a 403 error should come, but in reality, it’s a little iffy. Cases of violation of access rights, when the user is allowed to do everything, are the most common and critical. Therefore, it is important to pay attention to whether the user's token is checked and how the authorization mechanisms are implemented.
Providing Unnecessary Data
Sometimes the API can return much more data than the client needs, relying on filtering. If an attacker looks directly at the API, he will get all the data and use it for his attacks. Also, error data, headers, and patterns used for validation can contain a lot of sensitive information. Examples of such leaks include information about the server, programming language, and framework. The more information an attacker gets, the more vulnerable the system will be.
Broken Functional Authorization Level
Here, the client uses a user-level or admin-level API, depending on the role. Attackers find "hidden" methods of the admin API and call them directly. Therefore, it is necessary to pay attention to whether the user's privileges are checked, what data is available to an unauthorized user, whether the hierarchical connection of users is preserved.
System Configuration Settings Errors
These errors are among the most common vulnerabilities. These include open system folders and files, data about passwords or hidden files in the code, including directly on the HTML page. You can check basic security settings, including security headers. They help control the data on the pages of the application. One of the most critical points is checking the use of SSL/TSL encryption protocols over the HTTP protocol (and they must be the latest version).
We rarely consider negative scenarios here, and the consequences can be quite sad. For example, if a user conducts command line injection, he can get a remote control over the webserver. Then everything is at his discretion: to steal all the necessary data or organize DDOS attacks on the server. How can this be prevented? Place strict limits on the allowed characters and the length of the fields. Modern programming languages help to avoid most cases of injection and often block the execution of code by storing data on the server. But if we are talking about complex systems, you never know with which third-party resources you will have to interact.
Take Care of Safety
Last but not least, to become a security champion you don't need to have extensive, deep knowledge of information security, networking, and programming. You can start at least from the OWASP Top-10 list, vulnerabilities from which closely intersect with the testing process. You can try something new and exciting almost immediately and gradually accumulate knowledge, sharing it with colleagues.
It's very honorable to be exactly the person on the team who is in charge of the project's security.
It is better to invest in security initially than to patch security holes in a hurry on the eve of release. After all, this will affect the integrity, quality, and delivery time of the product.
Published at DZone with permission of Viktoriya Hranenko. See the original article here.
Opinions expressed by DZone contributors are their own.