Security Audit for Dummies

A security audit is the final and the most important step in implementing security defenses. When you build your service, you always have to remember to make it as safe as possible. The bigger it is, the more important its security is.

The first step is to run a risk analysis in order to find possible holes and find out what type of attacks you can expect. The second step is to develop a proper policy to defend against them. Finally, you undertake a security audit to check if it really works.

Penetration Testing

In order to check for possible attacks, we can use penetration testing (informally pen test). They are controlled attacks that look for security weaknesses. Their goal is to check our security system against known possible threats and return the report (what do we need to improve?). Thanks to that we can identify which defenses are effective and which ones (if any) are defeated and need to be fixed. A penetration test target may be either white box (provides background and system information) or black box (provides only basic information or no information at all except the company name).

We’ve compiled some Websites and Tools that can help you learn more about Penetration Testing:

Distros
Kali Linux
Parrot Security OS
BackBox
PentestBox Windows
More distros…

Tools
Metasploit
w3af
Wireshark
Nmap
Nmap Cheat Sheet
More tools…

Tutorials/Training
Kali Tutorials – Pen Testing for Beginners
OWASP Web App Pen Testing
Offensive Security Online Training

Penetration Testing Training with Kali Linux

Web Application Pentesting

Blogs
Sans Pen Testing Blog
Offensive Security Blog
Pentest Mag Blog

Upcoming Conferences
IEEE Shortlist

Risk-based testing (RBT)

In this kind of test we prioritize and emphasize what risks are the most important to us. With this knowledge, we can choose and prepare proper tests during test execution. Shortly – we can call “risk” to an undesirable outcome which we want to ensure that it won’t happen. There is not always enough time to efficiently check all security areas, so risk-based testing concerning the functionality of the systems that have the highest impact and probability of failure can be the best choice.

We can summarize the whole idea of Risk-based testing in a few points:

• it starts at the early beginning. We try to define the most dangerous threats and with this knowledge we try to prepare proper plans for testing.

• as it accompanies us during the whole development process, it’s very helpful in reducing the likelihood of defects and creating working workarounds (and test them as well).

• allows us to define what threats are the most dangerous to us and which ones we still have to work on.

• it measures how well we are doing in reducing the probability of failure. If we know we can’t deal with something, we can search for tools and people to help.

Learn more…

Articles/tutorials:

Heuristic Risk-Based Testing
How to choose what to test more and less
What is Risk Based Testing in Software testing?
Risk Based Testing, Strategies for Prioritizing Tests against Deadlines
Risk-Based Testing What It Is and How You Can Benefit
A Case Study in Successful Risk-Based Testing at CA
stickyminds.com
RBT Tutorial at guru99

Cross-Site Request Forgery (CSRF) is a very simple attack. It basically uses two facts. One, communication between server and client is based on requests. Two, cookies are sent automatically to the server. CSRF attack allows an attacker to execute authenticated actions without user knowledge and approval. It depends mainly on forcing the browser to execute malicious requests and using a user logged in status. Learn more about CSRF:

What is CSRF?
Cross-Site Request Forgery Guide: Learn All About CSRF Attacks and CSRF Protection
CSRF Attacks, XSRF or Sea-Surf – What They Are and How to Defend Against Them
How to Prevent Cross Site Request Forgery (CSRF) Attacks in PHP
Do Your Anti-CSRF Tokens Really Protect Your Web Apps from CSRF Attacks?
Robust Defenses for Cross-Site Request Forgery

Another type of attack is Cross-site scripting (XSS), in which malicious scripts are injected into theoretically trusted websites. It could be JavaScript, it could be, for instance, VBScript. The main thing is it may be run in the browser. In result, an attacker can execute any script he wants. It can be injected very easily using comments system for example. You post a comment with a JavaScript code and if the server doesn’t do anything about it, it will execute your malicious code as well. Read about XSS at OWASP.

You can also take a look here for more information:

Types of XSS
Excess XS – A comprehensive tutorial on cross-site scripting
What is an XSS Vulnerability?

While XSS works on the client side, the SQL Injection uses databases. SQL Injection attack uses the form system in order to manipulate the data. Let’s say your query look like this:

DELETE FROM Users WHERE id = '$_GET['id']'

If the attacker changes the proper id to the string like this '1' OR '1'='1', your query will look like this:

DELETE FROM Users WHERE id = '1' OR '1' = '1'

…and in result, it will delete all the users from the table.

In order to understand this better, you can watch a great Computerphile video about this subject.

Other links for more info:

SQL Injection Cheat Sheet & Tutorial: Vulnerabilities & How to Prevent SQL Injection Attacks
How to Prevent SQL Injection Attacks
SQL Injection Attacks and Some Tips on How to Prevent Them

The Denial of Service (DoS) is a type of attack that is focused on making a resource unavailable. It uses a mechanism of sending a massive amount of requests to the server making it incapable of returning the result. It’s a very common attack and not so hard to prepare. It’s often hard to defend against it because defining if a request is valid or if it’s an attack is not always so easy. Learn more about DoS:

US Cert
/ddos-knowledge-center/ddospedia/dos-attack/
Best Practices for Preventing DoS/Denial of Service Attacks
What is a Denial of Service Attack? DOS, DDos, Hacking

Most important of all, use solid solutions. Don’t try to reinvent the wheel and to do everything your way. Before building your application try to find a solid base. Check for secure and popular frameworks. They’re often made by experts and their popularity makes them really secure. No one is perfect, but if they’re checked every day by its users, the holes and errors are easy to eliminate. Deciding to stick with your hand-made framework could bring a lot of harm if an attack really occurs. You can also use security frameworks in order to help yourself in security auditing. We recommend reading IT security frameworks and standards: Choosing the right one.

Try popular tools. Don’t be afraid of using the captcha mechanism, testing automation tools and so on. There are many of them on the market. You could check SoapUI, TestingWhiz… It could really make your life easier.

If you can afford it, the ideal situation would be to hire an external professional team. It’s the most expensive case but surely the best one. Try to find an expert to back you up in terms of security. It can be really useful. He will always see a lot more than you because he knows more about the threats out there. If you can’t afford an expert for a whole development process, try to find him after finishing the job. Make him check security and after all…

…do a quality security audit. And if the results aren’t perfect repeat the whole process. It’s pointless to carry it and ignore the results. Also, don’t check only for holes. Check the efficiency of the security improving solutions. For instance, if you deploy a strong password changing policy, make sure there is no way to bypass this function. Let’s say you require changing password every week. If you don’t design it well, you could, for instance, give the user the possibility to change it just only to return to the old password after a minute. Has the password been changed? Yes! But… it won’t do any good.

Try to be as detailed as you can. Check for everything, not only for the most common type of attacks. Even big names we all have heard of have been the victims of imperfect security systems. Thus, it is certainly not a piece of cake.

Does good security auditing make you completely secure? Not really. They say, your security audit is as good as the auditors, but there aren’t perfect tools and perfect people. However… try to make it as safe as possible. If you are going for a poor audit, better to not do it at all. Weak security auditing can leave you with a false sense of security that is extremely dangerous for your organization.

So, if you do it (and you should), try to be as effective as you can. There can be no shortcuts! Use the best tools, hire the best auditors, do the most detailed audits and don’t try to save some money here! If you save it now, there’s a very high risk of losing it in the future.