Skip to content
Supporting Mozilla to spread!
Download Beta

My First Step Towards Mobile Security Testing

Looking at the title it doesn’t mean that I have conquered web security testing totally. And it wouldn’t make sense to me if I said; I would conquer web security totally before I die. It is such a vast area of study and keeps on going and going just like we do not know where the end of this universe is? I wasn’t a freak of mobile phones from long back. However, as a security tester I wanted to see how I could test for mobile security. And I must admit that, mobile security is not yet matured when compared to web security in terms of exploration.

I started from searching for mobile security books on amazon and flipkart. I finally found a book titled “Mobile Application Security” on Flipkart and bought it. With respect to reading from a book, I have always been a reader who would just skip the pages where I couldn’t find it interesting. My reading approach of this book was to go to the last topic which spoke about “Tools and Utilities” for mobile security. (Reference: https://www.isecpartners.com/tools/mobile-security.aspx) I started to read about tools description and thought of learning in reverse engineering fashion. One is to learn the concept and find the tool which can accomplish in implementing your idea; while the other way is to learn the tool and then think of test ideas. So, I picked the second approach as of now.

My reading has not been regular as of now, but I hope to get back to the track soon. The reason is, I have been very busy for the preparation of my next start-up. Follow me on Twitter @santhoshst to know the frequent updates and also I have been using hashtag as #MyNextStartupTeaser

In a nut-shell here is what I have learned about mobile (security) testing,

  1. Jailbreaking
  2. Android Manifest Explorer Tool
  3. Intent Fuzzer Tool
  4. Dalvik VM – This was interesting read to know how one could debug for android apps. Thanks to Perze Ababa (His blog: http://perze.blogspot.in/) for bringing this to me while we were discussing several things while having dining.
  5. And something related to the check automation

I always see any topic or study as vast. It always depends on how it looks to ones eye. So, I am game for the challenge and look forward to be good enough in terms of mobile (security) testing.

Share/Bookmark

How organizational culture helps in success or failure?

Tstock-photo-friends-confide-secrets-136364492here are many non-technical aspects that made a team successful in a project. I am able to tell this because I have faced these in my professional life. For a quick introduction, look at what Wikipedia says about Organizational Culture. Following some tips would surely make your life better considering professional life.

Gossiping can be wrong if handled wrongly

People do not like someone talking about them in a negative way. Generally, people who are gossiping think that the victim is not aware of it. However, the pathetic situation is when the victim gets to know that there are people who are gossiping. They break down and start focusing their energy on those people while their productivity does get hampered. Productivity involves thinking aspect as well which is focused elsewhere now. Are you having a watch on it? On the contrary, something beautiful that I read about positive side of gossiping can be found here.

No kidding, you are dealing with humans
I have seen lot of team activities in organizations to bring people closer. However, I did not like few or many of them. To showcase one of the examples, let us say; team is on an excursion and there is a singing competition or people are asked to dance. In this case, some may be not interested or feel shy or they are introverts or they are extroverts. I have seen people making fun of such people & finally saying, I was just kidding. Well, be informed that; you might be hurting someone when you were kidding.

Apologies do help to heal
I am fan of asking apologies if I feel the person was hurt. Here, let me make it clear that saying apologies is not about right or wrong. It is about saying, you got hurt and I care so that we can take our team member relationship to a higher extent and do well in our life. There is no harm in apologizing to your managers or sub-ordinates. However, some people refuse to apologize because he / she did not feel sorry. Well, it is not about feeling, but more of other factors which you can find here. Finally, it is empathy. What do you think?

No blame game or taunts
When I work with team members and if someone did not do the work well or goofed up with something; I do not get angry or blame them. Instead, I say; no problem let us do it together or else I say, “How may I help you?” Understand that there is no point in getting angry because it may make things worse rather than fixing. So, better change things with love and achieve success. Have you ever done it?

Be conscious about words
There is way of asking questions when you are dealing with humans. If someone is introvert and you ask him or her “Are you an introvert?” can make that person feel bad thinking that “Introvert is negative”. Well, it is a way of life. However, not many understand them and treat it to be negative. Instead one can say, “Do you like to speak in conferences” which can indirectly answer and can act as heuristics.

Five mantras to be a good team member

  • Inspire
  • Encourage
  • Motivate
  • Respect
  • Do not go personal

DISCLAIMER: This varies from organization to organization and depends on the people in the team. These are not strict rules, but context dependent [Example: Sometimes "Just Kidding" may not hurt and may actually improve the bonding between two persons or a group]. One needs to be conscious of how he / she is behaving.

NOTE: Also, on the other hand; you may want to become stronger to handle such people who irritate or who have cruel intentions whenever they speak or behave [You may ignore or speak out to them, it is your choice while both of them work]. That can help you to focus on your goals and not make the noise to enter you. Wishing you all a happy living.

Testathon – A Hackathon For Testers

Testathon LogoYou have always heard about Hackathon where developers will be involved. Now, it is a happy news that there is a testathon which is similar to hackathon, but for testers. It is one of the milestone in software testing community. Without stealing the credits, I had the similar plan and the same name (“Testathon”) in back of my mind before few years. Nevertheless, I am happy that finally it is here by someone and that someone is Mr. Fahim Sachedina. Testathon are the folks who organized world’s first testathon.

If you are wondering, what’s in it for me? Here is the answer,
• You will test with some of the other cool testers
• You will win prizes, yes even cash prize & much more

Visit Testathon website at http://testathon.co/ and you will get more details.

SECURITY TESTING WORKSHOP IN BANGALORE (FREE)


No more registrations accepted.


Security Testing Training in Bangalore

Security Testing Training in Bangalore

How to test password feature in web application?

Password_Lock_Security_TestingPassword enforcing rules

Not all users know about threats in security space. It is important for companies to enforce password rules to take care of user’s account not being compromised by attacks such as brute force dictionary based attack. Providing the rule like, at least 1 capital letter, 1 lower case letter, 1 special character and totally 10 minimum characters would safeguard them better.

 

Case sensitive versus case-insensitive passwords

Usernames may be case insensitive while passwords are not recommended to be case-insensitive. It is just like this, a person who is opening the door can change his appearance however; key to open the lock need to be same and should not be changed with respect to the keys teeth. Case-insensitive passwords are highly vulnerable compared to case-sensitive passwords.

 

CAPTCHA to avoid brute force

Most of the hackers love to see login form without CAPTCHA as it is easy to do automated password requests using software to crack the password. Account lockout policy or CAPTCHA is efficient way of securing your users account from being compromised.

 

Make sure you transmit password under SSL

HTTPS / SSL makes your password to not be seen as plain text by sniffing by malicious hackers who can steal the password and username which flows over the wire once the login form is submitted.

 

No maximum length restriction

Good to have a minimum length validation however, maximum length restriction should not be set anywhere less than 50 characters. It is seen some companies restrict it to 16 even though some users wanted to set more than it using a pass-phrase to have comfort feeling.

 

Change Password need to ask for Old / Current Password

Many web applications tend to not ask for old / current password while setting new one. Considering security, it is important to enter current password and then new ones to validate if the user is genuine owner.

 

Forgot Password Link Expiry

Important to expire the link after one use is a standard to avoid re-use of it by malicious hacker. Also, irrespective of whether the link is used or not, expire it after 24 / 48 / 72 hours based on business context. Last, but not least; check if the token value in the URL is at least 64 characters to avoid brute force. OWASP standards for forgot password is great source of information.

There are more tests that you could do with password feature. This is a kick-start for those who want some quick test ideas to test password feature.