Sunday, November 25, 2007

Is Software Security Testing Complicated?

Testing software for Security is something that can be quite complicated to do. Those that do test software are also those that have taken classes and know just what it is that they are doing.

If you are all into software, and are very familiar with it, as well as interested in testing it yourself, you are going to want to check out the software testing course that is held closest to you.
Many companies hire a 3rd party to give their employees a security testing course or build an in house team for providing this as a special service to teams across the organization.

I somehow believe that Security testing is something that comes a little easier to someone that understands or has written a software program before. If you have ever written a software application and are looking to get into testing, you are going to find that learning what you need to know to test will be easier for you than someone else.

Wednesday, November 14, 2007

Is virtual keyboard been considered?



Phishing is an attack where the attacker sends a mail making it look as if it has come from a bank or a financial institution and lures the victim into entering his sensitive information.

Image based keyboard (or virtual keyboards) were invented to make life harder for banking or phishing Trojan horses (specifically key-stroke loggers or key loggers), some even suggested they be used specifically to avoid these Trojan horses.

Tuesday, November 06, 2007

Clear Text Secrets

We often find applications storing secrets in a non-encrypted form which presents a severe security risk. If an attacker was able to retrieve & read the secrets, it could lead to compromise of the application, host or network, loss of revenue, loss of confidence of the user with the application.

"Sensitive"data like User Credentials, cryptographic keys must never be stored, cached, or sent unencrypted. For instance: logon passwords, PINs, credit card numbers, telephone calling card numbers, session ID that can be used to gain access to goods, services, or confidential information must always be stored and sent encrypted.

Avoid using proprietary encryption algorithms. Use trusted and proven standard algoriithms for encryption and have key lengths of at least 128 bits. Secure Socket Layer (SSL) must be configured to use at least a minimum of 128bit encryption and must not be allowed to fall back or accept weaker levels. Applications which use SSL must ensure that non-SSL connections are either denied or converted to SSL.

Thursday, November 01, 2007

Managing Account Lockout

User Accounts are vulnerable to dictionary attacks or brute force attacks. These attacks are ones where user credentials are deduced through successive attempts. Using tools or scripts enable the attacker to automate the process and establish a positive match more quickly and efficiently.

The "Good Practices" would be:
  1. Design usernames which are not predictable or guessable.
  2. Strong password policy.
  3. Disable user account after n failed login attempts which are successive.
  4. You could also consider locking out account for a specified amount of time. For e.g. 30 mins.
  5. Display generic error messages to user on failed login attempt. E.g. "Authentication Failed - Invalid Username / Invalid Password / Account Locked
  6. No automatic account lockouts for admin accounts
  7. Implement CAPTCHA's to prevent bots or automated username/password guessing.