Wednesday, March 31, 2010

How safe am I, if I use your application?


Mission:
Find security information which makes the application to loose competition for competitor's similar application.


Application under Test: File Uploading Application.
Session ID: FUA-1
Start Time: 27th March 2010 12:08 PM IST.
End Time: 27th March 2010 3:25 PM IST.
OS: Windows XP SP3.
Browser: Firefox 3.6.2
Anti Virus: Symantec Endpoint Protection.


Context:
Tester has been given just an application release and asked to test it, which is available in market for users. Application owner is expecting information from testing in few hours. The application has demand in market and being purchased by users to upload files to desired FTP sites. In view of the sustenance in competitive market, application owner decides to test for security threats. A tester is assigned with a job to find security loopholes information and to identify how their competitor's similar application withstands the identified security loopholes.


Tester starts learning:
  • What the application is?
  • What platforms does the application support?
  • Why should user this application? What are the benefits of using this application?
  • Who are the users of this application and for such applications?
  • Who the competitors are, with similar applications?
  • How the application is used (or can be used) when available?
  • Why they use this owner's application in particular, when other such similar application are available in market?
  • What type of files can be uploaded? What is the minimum and maximum file size that can be uploaded?
  • When, how and why the application "does not do what it appears to do"?
  • How the application "does what it does" and "should do what it is expected to do"?
  • How the application is built?
  • Any limitation known currently in the way how application appears to work?
  • Any defects reports not fixed or deferred or not released with present build? If yes, why?
  • Do the users of the application are satisfied using it today and earlier? If no, about what they are concerned in using application?
  • Are users looking for new things in application today? if yes, how quick they need it and how they value application if it is available and if it is not available?
  • Does application was cracked for license key earlier? If yes, how frequently the license key or file was cracked or generated? If no, did the team at development site tried to do it so and what was the result? What the decision maker(s) decision when license file was cracked or when it was not possible to crack?
  • Does application server at owner place was hacked earlier? If yes, how frequently it was hacked? What was the cost of these hacks? If no, did the team at development site tried to do it so and what was the result? What was the decision maker(s) decision when server was hacked or when it was not possible to hack?
  • How the sales and revenue for the application has been along with the similar application of competitor's?
  • Does all claims of application are met? If not, which claims are not met and for whom? How bad the cost is to them for not meeting the claims? What claims have been met?
  • Any records or feedbacks from the users of application are maintained? What those records or feedbacks say?
  • What does the customer support feedback say for service being given for application users?

My mistakes in this session:

I was not able to test with all security test ideas I had in test coverage model in given time. Invested time in investigating behavior of application. Need to concentrate and achieve mission in given time by exercising application using test coverage model. Test report can be found here.

I learned whenever we are using anti virus, firewalls, routers, port scanners or any other threat identifying tool, we are using others program code built as an application. These application can have defects within them. The questions that remains now in me is, can an application be easily accessed when unexpected happens to security providing application? If did so, what will it cost the user? If security is understood as freedom from fear, then why many software applications get hacked or cracked? Do software application have no freedom?


10 comments:

  1. Wonderful article! Your blog is really interesting. Thanks for sharing it.

    ReplyDelete
  2. How to predict threats?

    ReplyDelete
  3. @Offshore Software Testing, @Rama

    Appears like you have read this post. I am glad for the questions you both brought in me.



    From @Offshore Software Testing: Wonderful article! Your blog is really interesting. Thanks for sharing it.

    I found many mistakes in this post after posting it. Something thought of as wonderful and interesting can be more wonder and interesting if I know "I'm biased; how I'm biased and how to break those biases.".

    Interesting or non-interesting things have given surprises to me, when something not thought (from it) of it, has happened.

    Your comment made me to learn, "how something that looks as interesting and wonderful, can stop me to identify much more unexpected surprises from it and within it". Thanks!




    From @Rama: How to predict threats?

    Now, I can relate both these comments (first two comments) in one view. But there are infinite views that I can get. Will all those views get or show something unknown or known or surprises or unpredictable? Let us take an example -- I'm consuming fuel to run all my vehicles. Will fuel be available always to me and for any generation of our race? What if in next hour the fuel goes to scarcity or no more fuel that can be used (though any cycles of extraction and purification or other approaches applied)?

    Have I thought or predicted that, it will happen in very next hour? Say, if I had identified this risk or threat, I would have missed observing (probable) occurrence of some other risks(s) or threat(s) from that event. How do predict or learn about such threat or risk?

    My understanding for now is, context driven analysis of an aspect might help to get information of threats or risks. But, no guarantee that all threats and risks are uncovered. Yes, thinking that all risks or threats are uncovered will be a dangerous threat or risk. And such dangerous risks or threats will always be a lessons to be learned.

    I have missed such potential threats while testing the application said in this post. I realized it when I instrospected myself.

    If I say "How to learn threats?" than saying "How to predict threats?" will it help me? Just predicting might eradicate my learning. It depends in what context(s) 'predict' and 'learn' mean the same and different to me.
    *Note: I don't suggest or advise anything here. I am sharing my mistakes with you.

    How to predict myself, "when I will fly like an eagle without wings or any such tool in my body?" How to learn myself, "When I will fly like an eagle without wings or any such tool in my body?"

    Thanks for your question. It helped me to learn. Searching on testing and non-testing blogs, for information on threats and risks will help me to learn more for your question.

    ReplyDelete
  4. Any ideas how to learn more about threats and risks when I know there is something here?

    ReplyDelete
  5. @Rama

    Any ideas how to learn more about threats and risks when I know there is something here?

    I am not an expert or specialist to tell something which you may find useful. My learning may look as wrong or does not suit for you. I will share my mistakes with you yet again and what I am learning.

    When I know there is something, I ask myself "what I don't know about this something?" and "what is that something which I don't know?". Learning about what I don't know and working with what I know may show something newer or disguised (risks or threats) to me which I did not see(know) or foresee earlier.

    It depends on situtation or context, on which I have to concentrate more i.e., either "on which I don't know anything about it" or "on which I know something about it" or "on both".

    If I were asking these questions in software testing context, talking and learning from experienced people in testing field might help me.

    ReplyDelete
  6. Came across this post from Nandagopal now. He has shared words how he learned to compare an application with competitors applications.

    Sharing of your learning helped me, Nandagopal.

    ReplyDelete
  7. How did you see the code of an application to work on reversal of encryption?

    ReplyDelete
  8. @Anonymous,

    Tested application code was not obfuscated. The code not being obfuscated can be a concern. If the application is more open to threat of brutal forces attack, obfuscating the programming code may help to some extent is what obfuscation says.

    I am not sure to what level the programming code can be hidden or shown as other characters using obfuscation.

    I don't know how to get through the obfuscated code. Myself I need to practice in basics a lot more.

    ReplyDelete
  9. Came across useful write up by Santhosh Shivanand Tuppad on security testing and it is here.

    ReplyDelete

Please, do write your comment on the read information. Thank you.