Ashish Khandelwal and Gunankar Tyagi, McAfee
The aspect of security testing takes a close look at a few sorted out terms like XSS, SQL injection, key logging, backdoors, phishing attacks and so on. However, the lack of skills & experimentation in Application Security Testing prevents practical implementation of security testing, and most project teams do not know where or how to start.
This paper follows the experimental ride of our team of functional testers and the new approach towards Application Security Testing. As a team, we faced many challenges from the beginning in terms of understanding the Threat Model approach, issues of implementing the same in a time-constrained manner, as well as dealing with the failure to finally implement and yield value. We subsequently created a self-adjusting model, which we have coined as “Adaptive Application Security Testing Model.”
This model follows a systematic ladder approach where your expertise, skill set and result oriented strategy are enhanced. It tries to break free from the traditional approach and instigates an elementary and adaptable methodology. It tries to bridge the gap by identifying security defects early in the test cycle without compromising the rigorous Threat Modeling approach. Overall, it covers security efforts, starting from developing the abuse cases, creating attack model, carrying out attacks on the product and subsequent follow-up.
From our expertise, we have broken down Adaptive model into two sequential testing objectives – Peripheral and Adversarial.
As applicable to functional defects, initial security issues can be found with minimal effort. Peripheral Security Testing tries to expose this behavior and takes a lead in finding early security defects. This specially designed black-box approach, with the help of attack models, exposes the surface but crucial vulnerabilities.
On the other hand, Adversarial Security Testing requires the tester to dwell inside the product with a set of certain prerequisites. These include research on historical vulnerabilities, code base knowledge, architectural understanding and application security testing expertise. This hard-to-break approach, once followed in righteous manner, gives you extra mileage in highlighting product vulnerabilities.
The snapshot below explains the process followed by the two approaches. It is important to adapt these approaches and follow them in a sequential way.
The Adaptive model aims to maximize the efforts of an Application Security tester. With hard-hitting deadlines and resource optimization, this paper gives you a strategy to achieve application security without dealing with compromises.
To conclude, here are some of the strategic points, which an application security tester can leverage:
- Position themselves with respect to Adaptive Ladder
- Understanding the Application Security from a rudimentary but Adaptive perspective
- How to create Attack Models
- Real-time case studies
2010 Technical Paper, Ashish Khandelwal and Gunankar Tyagi, Abstract, Paper, Slides