QA and Security Pt. 2: Software Testers

Lets start by discussing the type of QA that tests software to ensure it is working as designed. These are the bug finders of the QA world. The process starts by a developer creating some functional code and then deploying it to an environment specific to the QA team. The QA team then uses its knowledge of how the application is supposed to function and determines if it is performing properly. Any bugs identified get filed and sent back for remediation (hopefully).

There are some pretty major differences between different companies, and maybe within some companies, in how technical a QA team actually is. Many companies I have worked at, the QA team was not as technically savvy as I would have expected. They would use Microsoft Excel spreadsheets to define their test scripts. In this case the word script is used as a set of processes to follow, not automation. Here is how the process would go.

  • Open Internet Explorer
  • Type into the address bar and hit go
  • Enter Valid Username (james)
  • Enter Valid Password (password)
  • Submit Login Form
  • Verify the user is logged in and redirected to Default.html
  • Pass/Fail

The above example may be a little over the top, but this is how a lot of scripts are designed. There is not a lot of thinking outside of the box when it comes to testing the functionality. While that may sound bad, there are some pros to the approach. For example, it ensures that the app is tested the same way every time which can help reduce the chance of a previous test being missed later on. These scripts are actually very easy to automate as well. On the other hand, it opens up the opportunity for a lot of good testing to not be performed.

Many companies are even using automation tools to help out with scripts like the one above. LoadRunner and Selenium come to mind as frameworks to help with this. These tools can record your testing and then play them back repeatedly. This helps when it comes time to re-test an application you can re-run your previous scripts automatically, allowing the manual tester to free up some time to look at other stuff. Of course, as you test more things you would hope that those tests also become automated.

In other companies, the QA testers are very technical. They work much more with creating custom tools to help with testing the applications. They are more savvy regarding how the application works and different ways that users will use it. With the addition of the automated tools, it makes sense to have testers with these capabilities to really dig into testing the application.

In many cases, we are not seeing a lot of QA teams embracing security testing. There are many people that want to believe that many security flaws cannot be tested by your normal QA department. I am not one of those people. I think to help increase security, we need to increase our internal QA capabilities. We hear that there is a shortage of security professionals, but really, we just need to enlist the current professionals in the development process to help out and we will be better off.

You might wonder why I think QA can find many of these security flaws. To be blunt, most of these security issues are just bugs. Bugs are what QA people (in the current context) do. There is no need for so much segregation between QA and security testing. I understand that we don’t want to share our bowl of rice or think that someone else could actually do that, but they can. Lets look at a few examples that QA should be able to test for.

Injection Bugs are the first on the list. While I group these together, this refers to things like OS Injection, SQL Injection, LDAP Injection, Cross-Site Scripting, XML Injection, etc. These types of bugs are typically not that difficult to identify. Before you jump all over my back, I will agree that some of them can be very difficult to identify. I don’t see that as the norm though. The method: Input known control characters for the current context and look at the output.

For example, enter a single quote (‘) into a field and examine the response. Did you get a database error message? If yes, good chance you have SQL injection – investigate further. No error message? Were there other indicators of a flaw? How about the response time? Did it change drastically from a request without that malicious value? Obviously there are other tests involved in this, but this shows how simple some of the tests can be to help identify the easy vulnerabilities. Will it find all of them, probably not, but it is better than finding none. We should not be relying on outside parties to identify a SQL Injection flaw by entering a (‘) into a field. This should be found internally.

Cross-Site Scripting is another good example. Just like above, enter in known control characters for this bug and analyze the output. If you enter an HTML tag does it get sent back without being encoded? How does the application react? Does it validate input? Does it encode output?

Another set of bugs are related to authentication and authorization. Again, this is something simple that QA can test. Verifying if restricted resources are only available to those given permission is a simple process. Same goes for verifying that a user must be authenticated properly before accessing the system. Many times during a penetration test we are given different sets of credentials to help facilitate the testing of auth bugs. Create a map of what pages/functions each role should have access too. Then check to ensure the other roles cannot access those pages/functions. You might actually be surprised at how much more you know about your application after mapping it like this.

Much of this testing can be accomplished using simple tools such as your browser, plugins, and proxies like Burp or ZAP. There is no good reason for why software testers don’t have and understand how to use these tools during their testing. Lets stop the “We don’t allow hacking tools” non-sense. Many of these tools were started as just testing tools, not hacking tools. If you are not providing QA the tools they need, you will never get better at assuring the quality of your software.

If you fall into the category of the less technically savvy personnel work to get them some security training. Not only will it benefit you by better security testing, but it will also make that person much more knowledgable in general and most likely less prone to falling for phishing or social engineering attacks.

QA and Security Pt. 1: What QA Are You Talking About?

There has been a lot of chatter recently regarding QA and the role it plays in security testing. Hashing this out over Twitter with 140 characters per post just makes things more confusing. While I think that Twitter helps start some of the most important discussions, there is a need for other mediums to expand on the topic. In this series of posts, I want to take the opportunity to bring up some of these topics and hopefully expand on then a little bit. We all have our opinions and we will certainly not all agree on everything, however these are conversations we need to have.

What do you think of when you hear Quality Assurance (QA) mentioned in a conversation? Is it just a process that documents or processes go through to make sure they are sound? Do you think of that group of people that test applications to make sure they function as they should? It is important for everyone in the discussion to understand the context in which the term QA is being used to ensure everyone is on the same page.

As mentioned above, there are a few different things we think of when we hear the term QA. The one that comes to mind the most to me is the team that tests applications or software to ensure that they are working properly. Most likely I go this route because I come from a lengthy development background and that is the QA I mostly dealt with. This QA team is responsible for identifying bugs in the system, documenting them and getting them back to developers to resolve them. This team is engaged after software is written (well, during the iterative development process) and before it is released to the production environment. Even this group can be very different between companies which I will talk about in future posts in this series.

Other people when they hear about QA think about a different group (most likely) that is responsible for reviewing documents and procedures to ensure accuracy. One example of this is sending requirements or design documents through a QA process to ensure they are correct.

Of course there are other types of QA, but those are the two we will focus on throughout this series. If you have other examples, please feel free to send them my way on twitter (@jardinesoftware) or The more we start distinguishing the context we are discussing the more we can get done by cutting through the confusion. Defining our context is a critical first step.

In the rest of this series I will dive into the different types of QA and how they relate to security. What role can they play. What should they be able to do and what should they not be able to find. Can QA find security flaws? Follow me on this short journey to see what we find out.

When Breaches Get Personal

Unless you have been living under a rock, you have probably heard about the breach of privacy against some celebrities who had some indecent images stolen. It is easy to get caught up in the hoopla that surrounds this latest intrusion due to the racy images that were stolen, but there is a bigger question around all of this. Lets pull away those top layers and see what the deal is.

The story goes that images were taken with mobile devices, and that device then synced the data to some form of cloud storage. You have seen cloud storage before right? DropBox, Sync, Box, ICloud, etc. There are a lot of services that allow storing your data into “The Cloud”. Some of this is just for backup purposes, others help sync data across multiple devices.

Lets start by talking about this mysterious cloud. If you saw the recent movie “Sex Tape” you may have heard it mentioned. You might be shocked that the only thing about the cloud that actually resembles a cloud is its representative image on a network diagram. There are lots of definitions and everyone will tell you something different when describing the cloud. The key point is that these services have servers running in multiple data centers and when you send your data to them it gets stored on those servers. You don’t know where the data actually is, and in most cases it doesn’t matter. It is, in this scenario, an offsite storage mechanism.

Many of these services make it easy to sync files between devices. Wait, you really don’t have more than one device? It is becoming much more common for people to have a phone, tablet, computer, etc. Wouldn’t it be great if when you created a file (photo, document, etc) that it was available on all your devices? The cloud services help with that. Some programs, like the IOS photos feature will automatically sync your pictures to all your devices.

Whether people are aware of how this works, or the implications is hard to really determine. I think most people really don’t think about the mechanism by which the photo made it from their phone to their tablet. They just care that it got there, not thinking about a copy being stored somewhere else. Just like in law, ignorance is no excuse for not knowing what is going on with your devices and services.

As we have seen in the past few years, breaches are an every day occurrence. Usually we see them at big businesses or retailers. These cloud services are also targets due to the types of data they store. Sure, in the most recent case it was nude photos, but think of some of the other stuff that you store from your device. There is a lot of potential for sensitive information being stored.

Do you stop using cloud services because of an incident? Personally, I keep on trucking as usual. I use ICloud, DropBox, and other cloud services all the time. Understand, there is a risk to using any of these services, although I wonder if that risk of the service getting compromised is less than or greater than your own personal device getting compromised. Like everything we do dealing with life, you have to be aware and take responsibility for what you do. Hey, if you want to take nude photos, that is your business. If those images get compromised, and if on an electronic device there is a chance of that, then you determine how to handle the situation. This goes for any data you store, not just photos.

There is so much finger pointing and blame game going around the internet about the recent nude photo breaches. It is the celebrities fault, it is the hackers fault, it is the cloud service provider’s fault. I don’t see how any blame is put on people that take pictures and use a service. We were all given a choice and that doesn’t give anyone else the right to exploit it. Depending on how the accounts were compromised, maybe user, maybe provider. If the provider did something completely negligent, then I can see some problem there. But lets not let any of that detract from the true malicious user here; the attacker that broke in and stole the information. There are going to be people that do this all the time and we are seeing more of it everyday. Lets be clear, there is no way to remove the blame from the attacker in any of these scenarios.

As users, we need to stay focused on doing the right security practices. Strong pass phrases, less password reuse across sites, don’t click stuff you shouldn’t, stay away from shady sites, and think about what you are doing. Don’t get caught up in the hype of news headlines, but rather take in the details and determine what the real issue is. All of the talk about nude photos is not the issue. Data stolen by an attacker is the issue. Be safe and enjoy the internet.

Breaches Happen: Call to Action

I loaded up Twitter this morning and was bombarded with even more reports of companies getting breached. Latest on the radar include the likes of JPMorgan Chase and some Dairy Queen locations. I won’t even attempt to guess at the number of breaches that have occurred already this year, but at what point to companies sit down and decide to look at their own network and systems?

I am not talking about reaching out to a company to perform a penetration test, or even a risk audit. I am thinking about looking at your actual systems for any signs of compromise like what we are seeing in all of these breaches. Lets just assume that everyone is breached, what would you as a company do? You have an incidence response plan right? Disaster recovery is in place? If any of those above don’t sound familiar, you are already late to the game.

If you are a retailer or have any type of POS system, take a moment and check your systems. There is known malware that may just be sitting on there without your knowledge. You have to go looking for this, rather than just waiting on the Feds to let you know that you have a problem.

If you are a franchise, I recommend you look at your policies for franchisee’s regarding security. Do you have a way to check how they are doing in regards to security? While a breach may occur at an individual location, it is YOUR brand name that will be pasted all over the news. It is debatable whether or not any news is good news, so I don’t recommend taunting that bear.

As an industry we try to put so much effort into defending our systems, which will always be needed. However, we also have to focus on the ability to determine if something has successfully gotten through those defenses. Ordering another Penetration Test will just try to help identify where the gaps are, it will most likely not identify that someone has already exploited it.

I know, I know, we are short on cyber security professionals and we just don’t have the man power. That is excuse for not properly utilizing the resources that you have. You don’t have to be a cyber security professional to understand networking and computer systems. To monitor network traffic looking for anomalies. Network admins and analysts should know what normal traffic looks like and what a normal installation looks like. Changes in that information should spark some interest. We can’t just wait for the network to tell us… we have to start thinking about going and searching for these differences.

We also need to get better at sharing the details of what happened in one breach so the rest of the industry can learn from it. If you are hit by some unknown malware, what are the signs and signatures of it? How did you identify it so the rest of us can go look? We have so many “researchers” testing sites for things like XSS and SQL Injection, lets get some of them researching how the malware can be identified and creating tools to help sniff it out to eradicate it before it effects millions of sites? Crowd sourcing is working great to find things like XSS, why not use it to help snuff bugs quickly.

We need to start digging deep into how we approach security and come up with better ways to protect systems. We need to focus on the ability to identify breaches more quickly. We need to analyze those breaches to get tools available to quickly block the attack methods. Lets start working together to make a difference.

1.2 Billion Passwords… Password Best Practices Again

There is a lot of talk about the recent discovery of what appears to be about 1.2 billion username and passwords stolen. I haven’t seen the list, so I can’t confirm that, but let’s assume it is accurate. Is this something we should be panicking about?

The first question is how many unique people does this actually effect? The chances that it effects 1.2 billion people seems pretty. I haven’t seen any statistics generated but we have to assume that those people that are connected to the internet have more than one user account. The breach says the credentials were pilfered from more than 450,000 sites. Of course that information is not being released, and we don’t need it to protect ourselves.

Practice Good Password Practices

With all the recent breach coverage we can’t help but to continue preaching good password practices. You may ask if it really matters with all the breaches that occur, or what control you really have. It is not like these passwords are stolen from you, the application that stores them is usually the culprit.

As those that create and rely on passwords, we do want to help take care of them as best we can. I can’t control what the developer is doing to protect the password on their end, so I have to assume the worst and do the best I can on my end. At some point, I think we will start to see people actually stop using applications that are not proactively protecting our data, but to do that we need applications that are transparent and show us they are doing things right to gain our business.

Choosing Strong Passwords
We should start off by choosing strong passwords. Unfortunately, a lot of critical applications still don’t support strong enough passwords, but if you can, try to have at least 15 characters in the password. When it comes to password strength it is the length that has the greatest effect. Remember, it is rare that someone is trying to guess Your password, rather they are running software tools to crack large swaths of passwords. I prefer to use pass phrases or sentences to create my password. This makes it easier to remember and more difficult to crack.

Changing Passwords Regularly
Changing your password to critical systems regularly can help avoid your password from being stolen by malicious users. Many corporate systems require password changes every 45-90 days for end users. You should follow that guideline too for personal applications, especially the ones that focus on financial artifacts (such as your bank accounts). Lets hope that a company that has been breached and lost passwords isn’t losing them day after day. We hope it was a one or two time thing. By changing our passwords regularly it increases the chance that the breached data is no longer valid by the time it gets used.

Don’t Reuse Passwords
It is recommended to not use the same password on multiple sites. I understand that this is a pain point because it is difficult to remember that many passwords. Try a password manager, a piece of software to store all your passwords securely, to help solve that problem. The issue with re-using passwords is that many sites allow you to use the same username, or just your email address as the user name. Once your data has been stolen from one application, an attacker may try that password on another site where you use those same credentials. This also includes not using similar passwords. Using passwords like Summer2014 and Fall2014 are not a good idea because if these are identified, it is simple to figure out the pattern and guess the next password in line. This is critical if you do change your password regularly, and an older password got breached.

2 Factor Authentication
If a site offers 2-factor authentication, enable it. Two factor authentication means that the site will prompt you for your username and password and then a secondary piece of information. For example, my bank will send me a token via email that I have to enter. This token is different every time I log in. Many sites are starting to support tools like Google Authenticator, which is an app that runs on your mobile device and provides that 2nd piece of authentication. If you are using sites that do not support 2 factor authentication, write to them and request it. Remember, they are storing your data, you want it protected.

Validate the Hype

When news like this breaks, we often have a tendency to really overreact thinking that it is the end of the world. Credentials got stolen, we are not disputing that, but lets step back and think about what that means. Keep in mind that in this announcement, applications or companies were not named. At this point, it is possible the credentials are for meaningless sites that are not that big of a deal. Due to the nature of the accounts being used to send spam I am guessing many are probably email accounts, but that is just a guess. What has happened in the past can’t really be changed. We change our passwords, we monitor our accounts (like we should be anyway) and we continue reaping the benefits that these applications provide us.

Stay safe, and keep your eyes open.

Danger of USB Devices

There has been lots of news recently regarding a flaw in USB devices that could lead to an unwanted attack. USB stands for Universal Serial Bus and is often associated with thumb drives used to store data. There are many other uses for USB devices, such as your mouse and keyboard. There are even monitors that connect via USB.

Each USB device has a microchip that contains instructions on how it will work. In addition, USB devices are separated into different classes; for example Human Input Devices (HID) for keyboards and mass storage devices like thumb drives. The computer looks at this classification to determine how to handle the device.

From a visual perspective, it is not possible to determine how a USB device will be treated because it is the firmware on the device that contains this information. A good example we have used for years is the teensy device, or rubber ducky. This device looks like a regular thumb drive, but when plugged in, acts like a HID (keyboard).

The concern here is that in an enterprise, there are often controls that block mass storage devices to load onto the end user computers. There are multiple reasons to block these devices. First, the company is trying to stop a malicious user from stealing a bunch of data using a tiny thumb drive. Remember the movie “The Recruit” where they stole info using a thumb drive? Another reason these devices are blocked is that they could contain malicious software ( malware). Block the device, block the malware.

The concern we often see with these controls is that it is difficult to block the human input device because we need a keyboard and a mouse. The idea of the rubber duck is that you, the attacker, can program a sequence of keystrokes onto the device and when it is plugged in it will execute the keystrokes. This technique allows attackers to bypass many controls and possibly gain unauthorized access to the system.

One can disassemble a rubber duck and see the sd card to see it is not a real thumb drive. The issue with this recent news is that regular thumb drives could be recoded to work as a HID without your knowledge. We haven’t seen many details of how to pull this off remotely, however we should be cautious anytime we plug a device into our system.

I will not stop using USB devices anytime soon. Diligence and user awareness are important here.

Ebay Password Breach

Ebay announced today that the had usernames, encrypted passwords, phone numbers, email address, physical address and date of birth stolen during a recent breach.  The key here is encrypted passwords, which hopefully means strong security.  That is just an assumption though.  It is not uncommon by any stretch to see a large company suffering from a breach that includes user credentials.  We often overlook the idea that credentials are actually very valuable.  We spend so much time focusing on social security numbers, credit card numbers, and HIPAA data that we forget about the basics.   Those keys that protect the rest of all of that data.

Ebay believes that no other data (financial, etc) was accessed during the breach.  This is the good news.   The bad news is we now need to change our passwords again.  Look on the bright side, if we used fingerprints as our access we would only change our password a few thousand times before we had to start using toes.  There are a lot of different passwords we can come up with.  I know it is obvious, but if you haven’t stopped reading this post to go change your Ebay password, stop for a moment and go do that.

Managing our passwords can be difficult and we may often feel helpless as the end user because not only do we not have any control of how a company or service stores our passwords, we don’t have any insight into how they do it.  Previously people have mentioned advertising on the site how the password is protected.  It is an interesting idea.  The question is: does it make you more or less of a target?   There are a lot of factors that go into that determination.

If you advertise that you use bcrypt with 10,000 iterations, is good or bad?   Will the bad guys just turn around looking for that easier score or will they accept that challenge.  Now advertise that you are just storing passwords using MD5 with no salt.   The difference between the two is like seeing a wireless network with and without a password.  Of course, the problem we also have is whether or not the description provided would mean anything to the average user.  My mom, even my wife, wouldn’t have any idea what MD5 or bcrypt meant or which one may be more secure.  It is server side, so do users care?   I am not really sure.    I don’t think advertising the details would really help the problem, maybe just satisfy those techies that want to debate over whether the company was following best practices.

Spread the word when you see that a site has been breached.  Let your friends and co-workers know so they too can take the appropriate steps to protect them selves.  We can’t fix a companies vulnerabilities, but we can all respond accordingly to calm the wave of destruction.

Windows XP: End of Life

On April 8, 2014 Microsoft ended support for Windows XP after a great 12 year run.  When you really think about it, 12 years is a really long time in the technology world for an operating system to survive.  Other systems are seen being updated every few years which makes sense due to the ever changing capabilities of technology.  There has been a history of the consistent cycle from the Windows operating system of great versions followed by what some would say are flops.  When you find something that works for you, you tend to stick with it.  I still have computers with Windows XP loaded on them because they just work.  However, there are some precautions I must take to try and protect myself.  Fortunately, the machine is really just a test machine and not my main computer. 

You might be wondering what it means to say that it is end of life.  Basically, it means that Microsoft will no longer supply updates or patches for the operating system.  Of course, they did break this rule shortly after the end of life by supplying a patch for Internet Explorer for Windows XP.  This is out of the ordinary and has created a divided crowd as to whether they should have done that or not.  On one side, they are helping protect people that are still running the out of date operating system.  On the other side, they are supporting people to continue to run this out of date operating system. 

So should you upgrade your computer if you are running Windows XP?  The simple answer is to recommend updating to a newer operating system.  Understanding that the system still works and is stable, there are many concerns around using the system.  First, of course there is the issue of no more security updates.  That poses a significant risk because the attackers are going to start looking at the patches that come out for the newer operating systems trying to identify which ones are in shared components with Windows XP.  They can then use these against Windows XP users because they know the system won’t be patched. 

The second issue is just finding supported applications.  For example, Internet Explorer 9 and above are not supported on Windows XP.   Not only do these newer browsers have better security features, they also support new browsing features.  We will start to see web applications that only support the newer browsers.  Of course, at this time you can install FireFox or Chrome onto your system and that would still work.  At some point, those may stop being supported on Windows XP as well. 

Keep in mind that many attacks to the end user are performed through the web browser.   An attacker getting you to open a malicious URL that takes advantage of a flaw in the browser, java, flash, or some other object.  One option a die hard Windows XP fan can take is to stop using Internet Explorer and use an alternative browser, but that is not a full solution.  There are many sites talking about how you can extend the life of Windows XP, just do a simple Google search. 

From a user perspective, I understand the difficulty of upgrading the Windows operating system.  It has never been a painless process and can be very time consuming and difficult.  Even worse, what hardware is your computer running and do they support Windows 7 or Windows 8.1?  You have to determine what options you have before you determine which course of action to take.   Maybe you can just upgrade the OS.   Maybe you need to get a new system and migrate files over to it.  It is important to make sure that you take the time and work with someone knowledgeable to make the upgrade seamless.

For companies, we need to look at what our upgrade plans are.  Microsoft was very open about when the operating system was going to reach end of life.  Companies had plenty of warning.  There are always reasons why the upgrade hasn’t happened, legacy applications, cost, etc.  Set up test systems to ensure that all the applications needed to do business work as expected.  You don’t want to just upgrade and then find out business is stopped because that critical application doesn’t work. You don’t want to have a gaping hole sitting on your network.

While it is not the end of the world, Windows XP’s end of life is significant.  It was/is a great operating system with a lot of support and with the UI changes that were made with Windows 8, it is no wonder people are hesitant to upgrade.   Look at your alternatives, be aware of the life cycles, and find out what the next operating system will be.   We don’t want to be early adopters, but we also don’t want to be living on outdated technology.

Target Breach: Monitor Your Financial Transactions

On December 18, 2013 news broke that Target had suffered a security breach and in upwards of 40 million credit cards may have been impacted between Nov. 27 and Dec. 15. This information included the customer name, credit or debit card number, the card’s expiration date and the CVV code. This incident does not affect purchases made online and does not include every purchaser during that time frame. Here is a link to the notice from Target to its customers (

Many people want answers as to “how” this happened. While it is important for Target to get to the root cause of this problem, the “how” doesn’t change the mindset of how the consumer can protect himself.

Inevitably, the information that was accessed will end up in the under ground markets for sale to criminals. The biggest action you (the consumer) can do is monitor your credit card statements on a regular basis. If you notice fraudulent transactions appear then contact your financial institution immediately to take the proper steps to get it taken care of. Time is of the essence when reporting those fraudulent charges.

Often times the credit card transactions are not large purchases, but just small amounts. The criminals will charge a very small amount just to test to see if the credit card or debit card is working. Once they have confirmed this, they will then move forward with using this for a larger purchase.

Target is not the first company to suffer unauthorized access to customer information and it certainly will not be the last. While this incident has been widely publicized, it is no different than any of the other breaches that occur. Consumers should always practice the one key step of constantly monitoring their financial statements. This is the best way to protect yourself from becoming a victim.

SANS Pen Test Summit

I was just recently in Washington D.C. where I attended and presented at the SANS Pen Test Summit. For those that have not had the chance to attend these events, they are two days of presentations and panels from well-known security experts. SANS has done a great job of presenting a great environment to bring together many different subjects all within the topic of Information Security.

I was fortunate enough to have been selected to be one of those presenters. I presented on Hacking ASP.Net: Tips and Tricks. I have been training secure .Net development for a while, but I feel that there are many things that pen testers just don’t understand that should be shared. Although my talk was limited to just a few key features of .Net, specifically Event Validation, Request Validation, and ViewState, I felt it was a lot of information that was new to the audience. I really enjoyed giving the presentation and hope that the audience enjoyed it just as much.

In addition to my talk, there were other great talk as well. Justin Searle, John Strand and Atlas of Doom all presented some great material. These guys all talk all over the country and world and it is always an experience to listen to them.

I recommend that if you are looking for a summit to attend, check out the website. They host multiple discipline focused summits each year.