Skip to content

No security testing? Then be ready for nightmare

Thursday, March 8, 2012

Most of the applications that are released to the world are not tested for security quality criteria. However; most of them with confidence say; “Our privacy policy safeguards you against hackers and attackers” but, it is a fake policy rather than privacy policy. I have seen web applications that are used by large set of people but, still contain some common security vulnerabilities. Product owners can be happy on the basis how much of registrations they are getting but, it is like they need to always sleep with skeptical sense of “When would my product be hacked by hackers?” I would personally say this, till hackers are away from your product you are safe, when they get on to your product and hack it; it is a NIGHTMARE for your customers and you as a businessman.

Non technical product owners do not understand security
As a white-hat hacker I have reported security vulnerabilities to the product owner; I have written e-mails. Some responded once and later they did not care about understanding the security vulnerability nor fixed it. Some people did not even respond even over so many gentle reminders; looks like I had to send rude reminder LOL. Then I finally do a responsible disclosure using platforms like CERT, Keeda Null and others. They try to get in touch with vendors and see if they can get it fixed but, it is still not sure however; I can go full disclosure after stipulated time when vendor doesn’t fix it even on notification.

Most of the companies do not educate customers about security
A customer provides requirements which should help him / her in his / her business. All customers might not be technically sound. In such case, technical set of people from the companies should educate them to understand about security however; it is sad that most of the companies are not serious about it and they just want to give what customer asked and get huge amount of money transferred to their bank. Finally, customer goes for a toss while hackers sit on it and rule it. Where is the problem? The problem I personally see here is, either company does not have technical people who can understand about security or companies do not want to educate them even when they could at least try.

We do not have security testing team
This is something that I hear from organizations saying, we do not have team of testers who can test for security. In my opinion, testers can learn to test for security. This comes from a personal learning and passion is a must. After learning if testers can spend at least 1 hour with a mission of testing for security, then I think that must help and also helps organization in return. Testers, are you game to learn security testing? The answer should not be, “We do not have security testing team”. Rather it has to be, “We will build one”.

Let us say if the testers at your organization do not have the skills to test for security and they are not willing or able to learn because of any reason; then what you can do is hire security consultants, ethical hackers who can do awesome job and help you uncover the security bugs. Search on Google for some security testing aspirants or ethical hackers and I am sure you will get bunch of them. Well, you can even hire me :D

Tester: How do I start security testing? / Whom do we hire for security testing?
The answer is pretty simple, start practicing, reading hacking books, conferring with IT security professionals, think like a hacker. Here are some of the resources that can help you to start of with,
a. http://securitytube.net/ – Security Testing / Penetration Testing videos and tools.
b. http://hackthissite.org/ – You can test your skills here. Good enough exercises to help you in assessing your skill levels.
c. http://owasp.com/ – I just love this.
d. Hacking for Dummies by Kevin Beaver – You can also get e-book version for free if you search with “Hacking for Dummies” at http://issuu.com/

Above things are just enough for you to start of with. It will take lots of days for you to finish the above activities. Well, it is not about finishing; it is about exploring more and more about what you read and what you analyze. Do not just read it and say, “I finished it”. After reading it, you got to question yourself – “What progress have I made? How am I able to test for security?”

More information
If you are looking to learn more and need some information from me then you can skype me at “santhosh.s.tuppad” and tweet @santhoshst. I hope you had a good read (At least a few).

Filed in BangaloreHackers, Books, Bugs, Certification, coaching, Communities, Investigation, Management, Security Testing, Social Engineering Attacks, Test Ideas | Tagged , , , | Comments (4)

qTrace – How can it be of help for a tester?

Thursday, February 9, 2012

Before few days I got to know about qTrace by QASymphony. You must know them even through BugDeBug as they are platinum sponsors. Let me talk more about qTrace tool which could be used by testers. Here are my thoughts on it,

 

  • This tool could be used in context where steps to reproduce is more complex and there are many steps in it to be written along with more screenshots. qTrace has capability to capture keystrokes and screenshots for every click done. Later, once you record the steps you can view the steps one by one and also the exact position of click is displayed.
  • I liked “System Information” fetching at one place. You have flexibility in including system information. If the bug you are reporting is based on the specific system requirements then you could use this feature to just fetch it in a second by a mouse click. Isn’t that cool enough?
  • Save As options – I see that this report could be saved as MS-Word document, PDF document and other options. These export options are cool too.
  • You can choose what you want to record – By saying this I mean to say that, it gives you list of windows to be recorded which are already in open state. You could choose “Skype” from the list and only any action performed on “Skype” would be recorded and not any other. I found this interesting as other things will not be recorded if any interruption comes in.
  • Screenshot editing feature – This is a MUST and glad to see this feature in qTrace. You can add annotations, crop which is editing feature.

 

 

What am I looking forward from qTrace?

  • More features to make it powerful one.
  • My wish-list of features include;
    • Customizable “System Information” elements. Tester should be able to choose what all information he needs rather than things which might not be required for the context.
    • Exclude “screenshots” option while exporting it as DOC or PDF format. Not all bug reports would require screenshot. This could be disabled before recording the steps itself rather than saying “Exclude” after recording the steps.
    • Make it available for other Operating System platforms like Macintosh and Linux.

 

What is it priced for?

Yearly license costs you 199838 USD. Err, I am just kidding. It is just 49 USD and could be installed on 3 machines under one license. This is damn affordable for the value that you will be getting out of it. I recommend it.

 

Happy qTracing!

Filed in Bugs | Tagged , , , , , , | Comments (5)

I disagree with Jakob Nielsen’s STOP password masking article

Thursday, February 2, 2012

While I refer to http://useit.com/ for usability related articles and I do recommend to many testers as well. However, I filter out which doesn’t make sense to me rather than following something blindly. Darren McMillan, a tester and my friend posted a tweet with the following URL http://www.useit.com/alertbox/passwords.html and after reading it, I felt most of the points did not make sense (At least to me). I responded to the tweets but, 140 characters were not enough to put my thoughts on Twitter which is why I thought of writing this blog post. Let the learning ride start now.

 

My comments for what Jakob Nielsen mentions in his article,

 

Jakob Nielsen says: “Typically, masking passwords doesn’t even increase security, but it does cost you business due to login failures.”

 

Santhosh Tuppad says: Security is not about making it fool-proof. It is about building layer by layer. Yes, it does increase security rather than not having masked password. It protects against shoulder surfing.

 

Jakob Nielsen says: “More importantly, there’s usually nobody looking over your shoulder when you log in to a website. It’s just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue.”

 

Santhosh Tuppad says: I have seen many people even in office feel uncomfortable when someone is sitting beside them and they need to enter their password. It is because they feel they might look into the keyboard if their typing is slow. When they feel uncomfortable for this instance, will they not feel unsecured for showing the password without masking? I have seen my colleagues coming to my desk and asking for something. There have been instances when they came to my desk for something where I had to login to application and show them something. Now, do I need to ask them to turn that side and keep looking at them if they are watching me and then type my password?

 

I would say contexts are different, if you are sitting alone in your office in a separate chamber it’s different. But, remember that here we are dealing with the whole Web End-Users and not just hand-picked people.

 

Jakob Nielsen says: “Most websites (and many other applications) mask passwords as users type them, and thereby theoretically prevent miscreants from looking over users’ shoulders. Of course, a truly skilled criminal can simply look at the keyboard and note which keys are being pressed. So, password masking doesn’t even protect fully against snoopers.”

 

Santhosh Tuppad says: Well, by unmasking them you are giving chance even to any snooper rather than skilled ones. You are degrading the security here. Let me give a typical example which you can relate to: You have doors for your home and windows. Even windows could be used to by thieves to get in the house by breaking them. Now, it doesn’t mean you should remove doors because they can get in from window as well. I repeat: Security is about adding layers rather than saying FOOL PROOF security.

 

Jakob Nielsen says: “Password masking has proven to be a particularly nasty usability problem in our testing of mobile devices, where typing is difficult and typos are common. But the problem exists for desktop users as well.”

 

Santhosh Tuppad says: I partially agree to usability problem in mobile devices where the keypad is cumbersome while I disagree with desktop users – Yes, there have been times when we have typed it wrongly but, I personally have not found it as a usability problem. It is as simple as this; by mistake from bunch of keys I inserted some other key in the lock which did not open it. So, it doesn’t make sense to say “Let me not lock the door itself”.

 

Jakob Nielsen says: Users make more errors when they can’t see what they’re typing while filling in a form. They therefore feel less confident. This double degradation of the user experience means that people are more likely to give up and never log in to your site at all, leading to lost business.

 

Santhosh Tuppad says: I personally see password not being asked as a security vulnerability rather than seeing it from usability perspective. I have not seen end-user saying I will not login to this site because they mask the password. Well, password is secret and it has to be secured. If there is a website which doesn’t mask its password, then I would say it is a security bug rather than seeing it as a usability element.

 

Jakob Nielsen says: The more uncertain users feel about typing passwords, the more likely they are to (a) employ overly simple passwords and/or (b) copy-paste passwords from a file on their computer. Both behaviors lead to a true loss of security.

 

Santhosh Tuppad says: How does it help when password is unmasked? Still people will continue to use simple password which they can remember. This doesn’t make any difference. People having random passwords who want to copy paste will still continue even when password is masked or unmasked. It is important to remember that, technology provides one layer of security and other layer should come from individual awareness. I cannot complain that system is not securing my account while I wrote my password on some piece of paper and hacker got that piece of paper.

 

Jakob Nielsen says: Yes, users are sometimes truly at risk of having bystanders spy on their passwords, such as when they’re using an Internet cafe. It’s therefore worth offering them a checkbox to have their passwords masked; for high-risk applications, such as bank accounts, you might even check this box by default. In cases where there’s a tension between security and usability, sometimes security should win.

 

Santhosh Tuppad says: The checkbox idea might be employed given that by default password is masked. However; I do not agree where Jakob Nielsen mentions only about “high risk applications”. Why is there discrimination? Any application that has login feature is made with the purpose to protect the data.

 

Banking application by default should have masking feature for password? Why not others? You are putting masking feature by default that no one else should see it and you should not feel uncomfortable to continue with your work while someone is sitting beside you. Right? Then why do it only for some applications and leave others. Just like “iPhone is iPhone”, “Security is Security” and “End-user is end-user” irrespective what kind of application he / she is using.

 

Summary

In my opinion, it doesn’t make sense to say, “I will remove the doors to add usability, so people can not open the door lock and put efforts in it”. People can still get in by breaking the window or door but, it is layer of security which is same as “masked” password rather than removing it. I agree to some extent to the checkbox idea where you give a checkbox to unmask the password and show it as plain text to end-user however; by default it has to be masked. It is just like you are not checking “Remember Me” in option by default because of Security. Considering this password unmasking, then “Remember Me” should be checked by default to add usability which is not correct.

 

It is not security versus usability. It is about thinking how we can build applications with better security and better usability and not compromises on both of them to at least a certain level even if we cannot match both of these and there are contexts where I have provided solution so that there is no degrade of usability or degrade of security. It is not security must win and usability should lose and vice-versa (They are not contenders). There are always better ideas, what it needs is brainstorming. Usability is more of analysis and psychology rather than just concluding in few minutes or concluding by thinking as individual. I would finally like to add one point here – “If you are not masking the password then you are spoiling User eXperience and may be you can make end-users not login to your application because they feel uncomfortable logging in with plain text while someone is beside them.”

 

I hope you had a good read and happy learning.

Filed in Bugs, General, Security Testing, Social Engineering Attacks, Stories, Test Ideas | Tagged , , , | Comments (7)

LOTS OF LEARNING AT BUG DE BUG CONFERENCE

Wednesday, February 1, 2012

Guess what? Some cool news for software testers and software testing aspirants, BugDeBug conference is happening in Chennai this March 2012. I am excited again to attend this conference and also I am conducting a workshop on “Security Testing” at this conference. Well, when I say “Workshop” it is “Hands-on” workshop where participants can test for security. This time the difference when compared the last 2 conferences are,

  1. 2 Days Conference
  2. Workshops on different topics like Exploratory Testing (@testertested), Performance Testing (@rahul_verma) and Security Testing (@santhoshst)

How this conference is different from yet another conference that happens?

I have attended quite a few conferences till now and the only conference where I enjoy being is “BugDeBug” which is organized by RIA RUI society. Some of the things that I like about this conference are,

  1. Organizing part
  2. Speakers
  3. Competitions
  4. Not to forget, good lunch! Yummmmmmmm!
  5. Affordable price for registration (Remember that, the value that you will be getting out of this conference will be no match to what you have paid. It’s awesome conference)

The list will go on if I want to speak all the good things about this conference.

 

How can you benefit from this conference?

Networking with people

Once you register and just sit their idle in the conference doesn’t work out. You need to move out from the place, go introduce yourself and network with the people around you. Do not wait for others to come to you and talk. Just go and say “Hi” and start rolling the ball.

 

Participating in competitions

There would be some competitions I guess even in this conference. So, do not be shy from participating. Participate actively and you might win some goodies.

 

Workshop

If you are attending a 1 day workshop, then please do carry a laptop with you which can facilitate better learning for you. If you do not have one, then you can request someone to share their laptop with you.

 

What are you waiting for?

This is not the time to think, go and register for BugDeBug at http://bugdebug.in/ and keep your fingers crossed to witness one of the successful software testing conference in India.

 

See you all at Bug De Bug 2012 in Chennai.

Filed in Communities, Competitions, Events | Tagged , , , | Comments (3)

A quick usability cooking through mindmap

Wednesday, January 4, 2012

Mindmap for Usability

Filed in Test Ideas | Tagged , , | Comments (2)