Model | Verification | Requirements-driven Testing | Misuse/Abuse Testing
Benefit
Insight into behaviour of your applications when dealing with unexpected input
Activity
Perform fuzzing, sending random or malformed data to the test subject in an attempt to make it crash. Fuzz testing or Fuzzing is a Black Box software testing technique, which consists of finding implementation bugs using automated malformed or semi-malformed data injection. Cover at least a minimum fuzzing for vulnerabilities against the main input parameters of the application.
The advantage of fuzz testing is the simplicity of the test design, and its lack of preconceptions about system behavior. The stochastic approach results in bugs that human eyes or structured testing would often miss. It is also one of the few means of assessing the quality of a closed system (such as a SIP phone). The simplicity of fuzzing a target is offset by the difficulty in accurately detecting and triaging crashes. Favour existing fuzzing tools and frameworks to leverage their supporting tooling.
Question
Do you test applications using randomization or fuzzing techniques?
Quality criteria
Testing covers most or all of the application's main input parameters |
You record and inspect all application crashes for security impact on a best-effort basis |
Answers
No |
Yes, for some applications |
Yes, for at least half of the applications |
Yes, for most or all of the applications |
Benefit
Detection of application business logic flaws
Activity
Misuse and abuse cases describe unintended and malicious use scenarios of the application, describing how an attacker could do this. Create misuse and abuse cases to misuse or exploit the weaknesses of controls in software features to attack an application. Use abuse-case models for an application to serve as fuel for identification of concrete security tests that directly or indirectly exploit the abuse scenarios.
Abuse of functionality, sometimes referred to as a “business logic attack”, depends on the design and implementation of application functions and features. An example is using a password reset flow to enumerate accounts. As part of business logic testing, identify the business rules that are important for the application and turn them into experiments to verify whether the application properly enforces the business rule. For example, on a stock trading application, is the attacker allowed to start a trade at the beginning of the day and lock in a price, hold the transaction open until the end of the day, then complete the sale if the stock price has risen or cancel if the price dropped?
Question
Do you create abuse cases from functional requirements and use them to drive security tests?
Quality criteria
Important business functionality has corresponding abuse cases |
You build abuse stories around relevant personas with well-defined motivations and characteristics |
You capture identified weaknesses as security requirements |
Answers
No |
Yes, some of the time |
Yes, at least half of the time |
Yes, most or all of the time |
Benefit
Transparency of resilience against denial of service attacks
Activity
Applications are particularly susceptible to denial of service attacks. Perform denial of service and security stress testing against them in controlled conditiions, preferably on application acceptance environments.
Load testing tools generate synthetic traffic, allowing you to test the application’s performance under heavy load. One important test is how many requests per second an application can handle while remaining within its performance requirements. Testing from a single IP address is still useful as it gives an indication of how many requests an attacker must generate to impact the application.
Denial of service attacks typically result in application resource starvation or exhaustion. To determine if any resources can be used to create a denial of service, analyze each application resource to see how it can be exhausted. Prioritise actions unauthenticated user can do. Complement overall denial of service tests with security stress tests to perform actions or create conditions which cause delays, disruptions, or failures of the application under test.
Question
Do you perform denial of service and security stress testing?
Quality criteria
Stress tests target specific application resources (e.g. memory exhaustion by saving large amounts of data to a user session) |
You design tests around relevant personas with well-defined capabilities (knowledge, resources) |
You feed the results back to the Design practices |
Answers
No |
Yes, some of the time |
Yes, at least half of the time |
Yes, most or all of the time |