Component level security testing, also referred to as feature area level security testing, describes security testing isolated by the feature area
Threat Model
Test the threat model; each threat bug which is fixed must have a test verifying the mitigation. Ensure there is a test case for each threat (automated or manual).
Gain a thorough understanding of threat model for your component and the security model for the product.
Secure Default Configuration
Create test cases that ensure that default configuration is secure.
Think about the ACLs required on various artifacts
Think about the application, service, and database roles required
Validate that sensitive error messages are secure
Authorization Manager
Verify that the roles are functionally correct.
Call each sensitive API for each out-of-box role
Create customized roles for the sensitive API, focusing on the most powerful permissions
Think of ways you can bypass Authorization manager (AzMan) checks
Input Validation
Buffer overflows
SQL Injection
Cross-site Scripting
Filename Canonicalization (all paths (XPath queries. Registry. Etc.) must be properly handled)
Input Length (as appropriate)
Minimal Privilege
Attempt to run tests in the least privilege configuration
Use a non-admin account on dev machine while running tests
Verify that various tasks are not feasible if an account with lesser privilege than the minimum specified is used.
Concurrency
Determine if it is possible to exploit race conditions
Think about caching and timing related issues.
Test security relevant operations alternately expecting failure & success using 1 thread, and using multiple threads
Time of check and time of use issues; see if missing atomicity can be exploited to bypass security enforcement.
Fuzz Testing
Pass garbage into inputs
Pass partially correct data into inputs, but containing garbage values (develop file and network fuzzers for all protocols and file formats)
Code Access Security
New type of security in the .Net Framework
Controls application authorization
Concepts: Evidence, Permission Sets, and Code Groups
Verify that Internet based client-side applications do not need full trust
Vinay Jagtap
A hard core Technocrat with over a decade of extensive experience in heading complex test projects coupled with real time experience of project management and thought leadership. Extensive experience in Performance, Security and Automation Testing and development of automation frameworks and ability to setup and execute Global service centers and Center of Excellences for testing.
