01-Security Testing Preparation Procedure

Purpose

Testing process is a category of V & V, which takes part during the software life cycle. The testing process can be represented in three phases. Test preparation phase, test execution phase and test analysis phase. These phases are applicable for all types of testing (integration, system and acceptance and unit testing). Preparation and execution have separate procedures, while the analysis is a part of the releasing procedure.

 

Inputs

No

Output

Going To/Input Of

Measurements

1.        

Approved High-Level Design Architectural

PD_Detailed_Design_Procedure

PD_Integration_Test_Execution_Procedure

PD_Implementation_Procedure

No. produced Reusable component

Deployment model complexity

2.        

Cloud Infrastructure readiness

 

 

3.        

Database infrastructure readiness

 

 

 

 

No

Activity

Responsible

Input

Output

Temp/Solution

1.           

Architect for database Injection:

-          SQL Injection prevention using parameterized queries and procedures

-          Sensitive data Exposure: create security token

-          Create domain value for database attributes

- Security Archutect

- Testing Team

- Security Archutect

- Testing Team

- Security Archutect

- Testing Team

- Security Archutect

2.           

Architect for Sensitive data exposure:

-          Architect for user security access rights per database

-          Disable modules debug info

-          Always deploy release versions

-          Apply defensive programming

-          Architect for sensitive data encryption per database

-          Architect for preventing data crawling using search or URL query strings

-          Architect for preventing predictable URLs or query strings

-          Encrypt sensitive cached data

-          Depend on session variables instead of query strings

- Security Archutect

- Testing Team

- Security Archutect

- Testing Team

- Security Archutect

- Testing Team

- Testing Team

3.           

Architect for XXE External XML Entity:

-          Focus on JSON format instead of XML to prevent injections

-          Use modern XML parsers like AntiXssEncoder

 

- Security Archutect

- Testing Team

- Security Archutect

- Testing Team

- Security Archutect

- Testing Team

- Security Archutect

4.           

Architect for Integration Security:

Define security and compatibility models:

  • Headers: for validation and system configuration
  • Tokens : for security
  • WebApi calls
  • Disable Http connections
  • Enable SSL
  • Encrypt authentication data
  • Remove/Disable un-used protocols
  • Remove connection headers that include OS/Protocol/Server type/Ver

- Security Archutect

- Testing Team

- Security Archutect

- Testing Team

- Security Archutect

- Testing Team

- Testing Team

5.           

Architect for Security Misconfiguration

-          Remove authentication defaults for databases, and servers

-          Customize error messages to prevent exposing valuable data for hackers

-          Apply least privileges

-          Request validation tags

-          Remove guest accounts

-          Remove un-used accounts

-          Remove IUSR account

-          Rename administrator accounts

-          Add process for disabling in-active employees accounts

-          Change access rights for all servers/clouds for in-active employees

-          Cookies and session tokens should be automatically generated and encrypted

-          Brute-Force/Identity theft: Enable n Times for login

-          Brute-Force/Identity theft: Enable 2-way authentication for multiple logins from different devices

-          Force password change policy

- Security Archutect

- Testing Team

- Security Archutect

- Testing Team

- Security Archutect

- Testing Team

- Security Archutect

6.           

Architect for Broken Access control

-          Automatic generation for session ID

-          Session timeout

-          Authentication credential; Encryption

-          Maximize account strengths

-          Disable autocomplete for the page you do want to prevent steeling data, like credentials

- Security Archutect

- Testing Team

- Security Archutect

- Testing Team

- Security Archutect

- Testing Team

- Testing Team

7.           

Architect for Cross-site scripting

-          In order to prevent CSRF, enable CSRF token at front end in order to prevent receiving request from component out of the solution

-          x-frame-options deny in order to prevent clickjacking attacks

 

- Security Archutect

- Testing Team

- Security Archutect

- Testing Team

- Security Archutect

- Testing Team

- Security Archutect

8.           

Architect for Insufficient Logging and monitoring

-          Business logging level should take place for objects/actions

-          Set retention plan for data existence

 

- Security Archutect

- Testing Team

- Security Archutect

- Testing Team

- Security Archutect

- Testing Team

- Testing Team

9.           

Architect for Architect for Code security:

-          Use readymade obfuscation tools to encrypt FE code

-          Use interfaces, member functions access directives (public, private)

-          Use internal for all classes to prevent using from third parties

-          Enable CAS (Code access security) for components

                                                                                          

- Security Archutect

- Testing Team

- Security Archutect

- Testing Team

- Security Archutect

- Testing Team

- Security Archutect

10.       

Auditing monitoring

-          Enable actions auditing for all system functions

-          Enable auditing levels as defined in logging module

- Security Archutect

- Testing Team

- Security Archutect

- Testing Team

- Security Archutect

- Testing Team

- Testing Team

11.       

List Architecture

-          Architect for white listing IP addresses, that trusted to get data from

-          Architect for blacklist IP addresses that tries to make DoS

-           

- Security Archutect

- Testing Team

- Security Archutect

- Testing Team

- Security Archutect

- Testing Team

- Security Archutect

12.       

Architect for Denial of Services

-          Prevent long term actions, like queries and looped requests

-          Prevent uploading huge size data files, like videos and images (Should be restricted size)

-          Use strong exception handling to prevent exposing valuable data for attackers

-          Enable caching at different levels to prevent denial of services

-          Enable WAF (Web application firewall) services on the cloud

- Security Archutect

- Testing Team

- Security Archutect

- Testing Team

- Security Archutect

- Testing Team

- Testing Team

13.       

Architect for database security

-          Create users with least privilege to prevent executing unpredictable actions

-          Enable certificates for reading sensitive data over the database

-          Use parameterized queries and procedures to deal with data

-          Create different users with different credentials according to responsibility

-          Use least privileges to prevent attacks to your assets

-          Create different users with the following key roles:

o    db_datareader : For reading

o    db_datawriter : For Writing

o    sysadmin : For Upgrades

- Security Archutect

- Testing Team

- Security Archutect

- Testing Team

- Security Archutect

- Testing Team

- Security Archutect

 

Outputs

No

Output

Going To/Input Of

Measurements

4.        

Approved High-Level Design Architectural

PD_Detailed_Design_Procedure

PD_Integration_Test_Execution_Procedure

PD_Implementation_Procedure

No. produced Reusable component

Deployment model complexity

5.        

Cloud Infrastructure readiness

 

 

6.        

Database infrastructure readiness

 

 

 

   

02-Security Testing Planning Procedure

No

Activity

Responsible

Input

Output

Temp/Solution

1.           

Plan for FE features/modules to be tested

- Security Archutect

- Testing Team

- Security Archutect

- Testing Team

- Security Archutect

- Testing Team

EA

2.           

Plan for Integration layers/services be tested

- Security Archutect

- Testing Team

- Security Archutect

- Testing Team

- Security Archutect

- Testing Team

 

3.           

Plan for database layer to be tested

- Security Archutect

- Testing Team

- Security Archutect

- Testing Team

- Security Archutect

- Testing Team

 

4.           

Plan for enabled OWASP top 10 vulnerabilities to be in scope:

-          Injection

-          Broken Authentication

-          XXE: XML External entities

-          Sensitive data exposure

-          Security Misconfiguration

-          In-Secure deserialization

-          Broken Access control

-          Cross-site scripting

-          Insufficient Logging and monitoring

-          Using components with known vulnerabilities

- Security Archutect

- Testing Team

- Security Archutect

- Testing Team

- Security Archutect

- Testing Team

 

5.           

Create testing schedule according to iterative time-boxes

- Security Archutect

- Testing Team

- Security Archutect

- Testing Team

- Security Archutect

- Testing Team

 

6.           

Determine testing tools:

- SonarQube

-

 

- Security Archutect

- Testing Team

- Security Archutect

- Testing Team

- Security Archutect

- Testing Team

 

 

03-Security Testing Execution Procedure

No

Activity

Responsible

Input

Output

Temp/Solution

1.           

Go for Test Execution procedure

- Security Archutect

- Testing Team

- Security Archutect

- Testing Team

- Security Archutect

- Testing Team

EA

 

04-Security Testing Follow-up Procedure

No

Activity

Responsible

Input

Output

Temp/Solution

1.           

Go for Test Follow-up procedure

- Security Archutect

- Testing Team

- Security Archutect

- Testing Team

- Security Archutect

- Testing Team

EA