Maintaining high software quality in today’s highly saturated IT market is a challenge, let alone cybersecurity. Protecting personal data has always been a dire necessity. But now, the need is more urgent than ever before — within numerous cyberattacks, novel methods of malicious usage, and sophisticated hackers.

With all that in mind, a1qa is glad to be among the top penetration testing companies according to Clutch’s data-driven research.

Being an independent QA and software testing company for 19+ years, a1qa assists customers in enhancing software quality, including cybersecurity and data protection issues. At in-house CoE for cybersecurity testing, QA engineers are honing their professional skills regarding penetration, compliance testing, vulnerability assessment, social engineering, and other security testing services to help clients make distinctive and lasting improvements in their businesses and feel safe at all levels.

a1qa is deeply grateful to all the clients for their trust and passion in striving to become better together. Here’s what they say about cooperation:

To be eligible for a Clutch Leader Award, organizations should exhibit an unusually high ability to deliver top-tier work to their clients and provide cybersecurity excellence to the customers.

About Clutch

Clutch — the B2B ratings and reviews platform — unites thousands of first-class solution providers and companies across multiple industries while helping worldwide organizations connect with B2B vendors to strengthen business resilience and increase the productivity of operational processes.

Feel free to get in touch with a1qa’s experts to discuss raised QA-related issues. We would be glad to help.

While moving to an online environment and introducing technologies, companies face poorly secured systems. This is where cyberattacks become those of the most pressing issues, making businesses vulnerable. The price of data breach fixing will reach $10.5 trillion by 2025.

What do businesses undertake to avoid taking on high costs?

It depends. Some hire in-house cybersecurity specialists while others are looking for support from independent vendors — Software Testing Companies.

Let’s imagine you’ve picked the last option.

Here are the top 5 questions to ask your QA provider to ensure they will help launch faultless and attack-proof IT solutions.

Question #1. “What cybersecurity testing approaches and methodologies do you apply?”

Are you using penetration testing? Right, being one of the up-to-date cybersecurity approaches, it helps simulate hackers’ behavior while identifying the software bottlenecks and mitigating the risk of cyberattacks.

What more? “DevSecOps, of course.” Good. It allows QA engineers to reveal the software’s vulnerabilities at the early development stages, eliminate loopholes, and prevent the system from exploiting by cybercriminals.

Once you have asked what methodologies a QA vendor applies, you will understand what the supplier implements to achieve increased IT product security, reduced QA costs, fixed leaks.

It’s no more necessary to explain that preventing both minor and major attacks assist in avoiding damaged reputation, compromised customer data as well as financial loss.

Question #2. “Do you have a cyber incident response plan?”

They say forewarned is forearmed, so it’s a good practice to think about a response plan in advance and create some actions in case of an emergency to react quickly to malicious usage.

In line with every possible cybercrime type and level, QA providers develop multiple scenarios to minimize the risks of exploiting the software.

In 2020, Interpol’s private sector partners mentioned that the top 4 cyberattacks related to uncertainty provoked by COVID-19 are phishing, malware, malicious domains, and fake news, resulting in the breakdown of large corporations as well as millions spent to restore them fully.

Source: www.interpol.int  

Cyberattacks are becoming more sophisticated requiring new testing approaches to keep up with the pace of hackers. Make sure the QA provider considers sudden cyber incidents to timely dodge them by introducing continuous security monitoring approach paying attention to trends.

Question #3. “Do you ensure software compliance with the global safety standards?”

Working with clients’ sensitive information, range of IT products should comply with global cybersecurity standards (ISO/IEC 27001, PCI DSS, HIPAA, and others). A big deal, as they contribute to:

• Understanding risk significance and its impact on the system
• Eliminating data transmission
• Monitoring suspicious activity and preventing it.

While asking this question, more details on cross-domain expertise help understand which spheres a QA vendor has already worked in.

By ensuring the app’s compliance with standards, the provider facilitates an IT solution safety as well as customers’ protection from all types of harm, including identity theft.

Question #4. “Do you have an internal security policy?”

Clients do trust companies with a well-tuned security policy that reflects:

• Data protection standards
• Assessment of business risks
• Resources and devices used in the workflow
• Rules for non-disclosing third-party information
• Guidelines on how to establish information security for the enterprises under national and international regulations
• And more.

Hackers regularly develop new ways to penetrate the system, which requires a strengthened security policy. If employees don’t meet the safety regulations accepted within the organization, this can aggravate the situation and give cybercriminals an advantage. That is why a credible QA provider has a policy that all specialists follow to avoid data compromise and its leakage.

Sometimes cybercriminals attempt to steal data not by hacking software but by tricking the organization staff. To address similar problems, some companies develop policies to test their employees for alertness (e.g., by introducing phishing).

Question #5. “Do you educate your employees on cybersecurity issues?”

Sometimes, data breaches occur as a result of human errors (lack of expertise, untimely updating, etc.). But the consequences of cybercrimes rapidly spread across intersecting parties while triggering the spillover effect. In 2020, the Federal Reserve Bank of New York claimed that the cyberattack on any of the five most active banks affects 38% of the network because of their interconnectivity.

Providing employees with additional training helps reinforce their cybersecurity knowledge, learn how to correctly apply innovations related to the cyber environment, improve company awareness of internal security policy updates, etc.

Well-prepared cybersecurity testing specialists are assuredly adept at implementing best practices to address cybercrime issues. This can be a five-step testing cycle:

1. Detecting cyber penetrations — to gain customers’ trust and ensure secure software.
2. Identifying risks — to evaluate possible methods of threat elimination.
3. Protecting software — to select the best QA approaches and mitigate potential damage.
4. Responding to attacks — to analyze the committed attack and explore the ways to upgrade the system to exclude subsequent penetration.
5. Recovering systems — to develop a response plan for potential breaches and sensitive data loss.

Advanced training on these and many other issues allows QA specialists to work with applications of any complexity, detect loopholes in advance and help release a reliable product.

Closing remark

Within highly sophisticated cyberattacks, companies are ready as never to pay greater attention to cybersecurity testing. It helps protect end-user personal data, minimize risks of cyber incidents, and make sure the software complies with cybersecurity requirements across the globe.

When looking for a QA provider to support you in that, ask some questions on testing methodologies, cyber incidents response plan, safety standards, internal security policy, and in-depth training.

If you’ve already made up your mind, feel free to reach out to a1qa’s experts to get holistic support on cybersecurity testing.

How many companies have you heard of passing digital transformation journey in 2021? That’s a tough path, and there are questions to answer. They reimagine IT strategies while introducing innovations while applying brand-new approaches to handle business and operational processes.

Despite that, only 16% of executives submit the successful digital transformation journey. What slows down the digitalization of other 84% of companies?

One of the barriers is a growing amount of cyberattacks. Ensuring data privacy and proper cybersecurity is a top priority of any company aiming to succeed in executing a transformation program.

In this article, we shed light on the top 4 security challenges of digital transformation and QA activities that may help troubleshoot them.

Four security issues that hamper digital transformation

Within the current informational era, cybersecurity has been taken for granted. However, due to swift migration to an online space and digitalization happening globally, companies are encountering an increased volume of cyberthreats. According to Statista, 32% of respondents admit that the growing likelihood of data breaches was one of the main digital transformation concerns of 2020.

Source: Statista 

Why? Let’s get this straight and figure out the top 4 security issues.

Security issue #1. Tech evolution with the same safety level

IT infrastructures are steadily expanding by introducing novel technologies. For instance, cloud computing is the front-runner when it comes to delivering enterprise infrastructure. Also, noteworthy is that hybrid cloud users were twice as likely to have incurred a data breach over the past 12 months.

With that, improved IT solutions in turn have a higher susceptibility to attacks, as these enlarged ecosystems broaden the scope of vulnerabilities while generating more possibilities for hackers.

Security issue #2. Sophisticated cyber incidents

Digital transformation also has a dark side of force. Alongside bringing value, innovations foster malicious actions by providing advanced tools, environments, and approaches to unauthorized apps usage.

For years, cyber attackers have been perpetually nurturing a malware arsenal, so that their behavior has become more unpredictable and thought-out. For now, detecting malusers and forestalling expensive system’s recovery after cyberthreats is rather complicated, as it requires a rock-solid strategy and ceaseless control.

Security issue #3. Overcomplicated cybersecurity standards

Being the most precious entity for any modern business, personal information needs high protection that triggers regulation actions. Within today’s growing intensity of cyberattacks, standards have become stricter and more regulated.

Compliance with cybersecurity standards is a complex and costly task. However, 80% of the data experts and IT professionals agree that stringent security norms can benefit their companies in the future by helping pass the certification and deliver upscale and safe software in the market.

Regulations that cover all life-threatening industries: HIPAA security checklist is for eHealth products, OWASP safety recommendations are for any-domain web and mobile apps, GDPR is for enabling secure data storage and transfer worldwide.

Security issue #4. Lack of the right-skilled people

While malicious users are constantly refining their skills, businesses don’t always have an appropriate volume of finances, experience, and right-skilled employees to address emerging cyberthreats.

With that, companies should gradually reimage budget allocation while keeping up with the relevant cybersecurity insights and providing advanced training for broadening expertise. 

QA for safe digitalization

We strongly believe that prevention is better than the cure. Being prepared to respond to any security breach is not about being anxious but more about minimizing risks especially meanwhile the crisis. So, what actions may be of help to deal with security issues?

Welcome to the handbook to assist you in releasing highly secure IT products.

1. Strengthen security practices

The essence of security issues remains the same while the scale is much larger. The latest edition of the World Quality Report states that the pressure of COVID-19 has sped up digital transformation programs. One of the consequences is that while the business is expanding, the demand for security testing arises.

The more business operations that are being brought to online, the more vulnerabilities and data breaches have gone up. This is why 83% of CIOs and IT directors say that their apps security concerns have increased over the last 12 months.

Starting from security assessments to controlling data protection at the go-live stage, businesses may get substantial value and minimize the risks of cyberattacks. After identifying drawbacks, engineers execute penetration testing while imitating hackers’ behavior to create real-life conditions and not to miss any critical defects.

2. Shift from DevOps to DevSecOps

DevSecOps is all about thinking ahead and projecting “How can I deliver the software in the market successfully?” even when you are on the requirements stage of SDLC. Which of course, is about the determination to automate as many processes as possible including security checks, audits, and others.

DevSecOps assumes a “security-by-design” approach based on the following aspects:

• Caring about data safety from the very start of an IT project
• Applying mechanisms that supervise the impact of newly added features on the overall software security
• Setting up internal safety defaults
• Separating responsibilities for various users
• Introducing several security control points
• Thinking over the actions in case of an app crash
• Performing audits of sensitive system’s parts
• And many others.

By considering these points, it is much easier to enable high data protection and become confident in users’ privacy.

3. Optimize security testing with automation and continuous security monitoring

Test automation is an escape solution to the escalating intensity and amount of cyberattacks. By automating security testing, specialists can swiftly perform checks and identify the attack. Besides, it helps increase overall efficiency on the project, accelerate time to market, reduce QA costs.

Moreover, companies are gearing towards implementing AI and ML in the QA processes. Their ability to define the roots of the attack and the system’s vulnerabilities allow for dodging expensive bug fixing after going live and data loss which includes the stealing of intellectual property. The results of express analysis delivered by AI and ML help prevent possible similar attacks and vulnerabilities in the future.

Summarizing

Ensuring data protection and a high level of cybersecurity is among the cornerstones of passing digital transformation.

Within emerging tech advancements, hackers are also nurturing their skills and becoming more adept by strengthening their strategies.

To be one step ahead, companies should consider reinforcing digitalization processes with thorough security testing, including right-skilled personnel, penetration checks, DevSecOps practices, and next-gen QA to guarantee the delivery of reliable and secure software in the market.

Contact a1qa’s experts to get professional QA support in enhancing cybersecurity level.

As the IT service industry continues to grow at an unprecedented rate, staying on top of the latest information and best practices is increasingly difficult. Thankfully, a1qa is up for the challenge.

Our client-first mentality sets us apart from other QA providers, as does our ever-evolving expertise in quality assurance and software testing.

Here at a1qa, we work tirelessly and with passion for our mission to ensure that our clients are confident in the high quality of the delivered software solutions. Many companies claim that they always put the clients first, but very few actually execute on it. Our skilled and trustworthy team wisely uses their vast industry-related knowledge and implements the latest technologies to help clients stay ahead of the competition.

We could continue to talk about ourselves, but let the feedback from our clients speak louder.

That’s why we’ve partnered with Clutch, a B2B ratings and reviews site that collects unbiased and thorough client reviews for companies not only in the United States but from around the world.

They’ve ranked us as one of the best firms providing penetration testing services in the country. Check out one of our succinct reviews from a current client below:

We look forward to collecting more reviews on Clutch so that companies seeking a reliable cybersecurity vendor can experience our first-class testing activities and quality of services that we deliver within any situation in the world. Being able to display case studies and client feedback is integral for building our reputation for dependability.

Please feel free to reach out to our QA experts today to ask any questions of yours.

Today information security is one of the greatest concerns of all developers, testers and common users. QA engineers perform testing in order to reveal security flaws and vulnerabilities. Nevertheless, even a high security system can be hacked as it is operated by a human being. For this purpose a special technique is used – social engineering. The article by Anna Andreeva, security testing engineer.

In information security and its offshoot of security testing, the term “social engineering” is used to describe the science and art of psychological manipulation. Social engineering is used to collect data, get confidential information, access systems, etc. According to statistics, 55% of losses related to violation of information security are caused by employees. This number is large enough to pay our attention to the attacks on the human factor.

The psychological manipulation has a number of peculiarities:

• No considerable expenses
• No special knowledge
• Long duration
• Difficult to monitor (no logging)

A human’s mind sometimes is much more vulnerable, that a complicated system. That is why social engineering is aimed at obtaining information with the help of a person, especially in the cases when a system can’t be accessed (e.g. a computer with vital data is disconnected from the network).

A common approach to attacks includes the following steps:

• Gathering facts (often using social networks)
• Developing a relationship of trust
• Exploitation
• Suppression of traces

The general principle of an attack is a misrepresentation. To fish for information social engineers use a variety of tactics and schemes aimed at the emotions, weakness, or other personal characteristics, such as:

• Love
• Empathy and compassion
• Greed and a desire for quick results
• The fear of the authorities
• Inexperience
• Laziness

The most widely used social engineering schemes

Phishing scams

Phishing scams are the most common attacks. They aim to gain access to sensitive user data – login and password. Some phishing emails are poorly crafted as their messages often contain mistakes. Nevertheless, these emails are focused on directing victims to a false website where they need to enter login credentials and other personal information.

To harm their victims, phishers make use of email addresses that they collect from open sources alongside with the names of the company’s employees. Once the email addresses are collected, hackers start to prepare emails with a malicious payload.

In the context of a cyber-attack, a payload is a component of the email that will cause harm to the victim. A malicious payload can be of two types:

1. Link to the fake page of the company’s corporate portal that will steal passwords of all corporate network users.
2. Malicious email attachment.

To make a fake page, the hackers will copy HTML and JavaScript of the original page and change it in a way to get passwords and login data that will be input by the users.

As for the attachments, malicious code fragments are inserted into the document code. The code is executed when the file is opened. To embed the code, standard Microsoft Office macros  – series of commands that can be run automatically to perform a task – are used. Once a malicious document is opened only one click is required for the macro code to run.

Several minutes after, the document will infect the computer and provide hackers with the access to the information required.

Baiting

This technique exploits the curiosity or greed of the potential victim. The attacker sends an email with an important anti-virus update or a free movie attached. This technique remains effective until users blindly click any hyperlink.

Besides the attachment, the attacker may use any USB or other peripheral device.

The target of the attack is the curiosity of the user who has found a flash disk in the parking area or got it was a precent at the corporate party.

Once such a device is connected, the computer will detect it as a keyboard. After that the flash disk will instruct the computer to install malicious software or steal confidential data. As for the user, it will seem to them like someone is inserting commands from the keyboard.

Here are the examples of the commands that can be performed to attack users with the help of USB devices https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads.

Quid pro quo

These attacks promise a benefit in exchange for facts. For example an attacker can call a company and under the pretext of technical support propose to install the “necessary” software. Once the victim agrees to install the software the attacker gains an access to the confidential data.

Tailgating

Tailgating (also called “piggybacking”) is a method to enter a restricted area simply walking behind a person who has legitimate access. Tailgating can’t be applied in companies where employees have to swipe a card to open the door.

It is evident that social engineering results in the number of such grave problems as financial and reputational losses and information leak. For this reason it is vital to take all the measures to resist it.

Pretexting

Pretexting attacks are used to develop a sense of trust using a made-up scenario. As a result, a person gives certain information, or performs a specific action. This type of attack is usually carried out on the phone. This technique often requires no prior research.

If you don’t want to become the next victim of social engineers remember the following rules of protection:

• Don’t use the same password for authorization in external systems and the company’s account.
• Do not open emails from untrusted sources.
• Lock your computer anytime you leave your workplace.
• Install anti-virus software.
• Know your company’s privacy. All employees should be instructed on how to behave with visitors. If you meet a stranger wandering through the building alone, you should have the necessary instructions.
• Disclose over the phone and in person conversation only the really necessary data.
• All documents on the projects should be removed from the portable devices.

If you still believe that social engineering doesn’t worth attention read about Victor Lustig (the man who sold the Eiffel Tower twice) or Robin Sage (the fictional femme fatale that gained access to secret information using social networks).

High-profile data breaches continue to hit the headlines. However, you may be surprised to know that most of the attacks do not take a lot of time or efforts. Weak passwords provide abusers with a lot of opportunities.

If you are involved in the development of a software product that implies usage of some personal data, this post is just for you. It is prepared by the a1qa Security Testing Center of Excellence engineers. After you finish reading it, you’ll learn:

• Strong passwords – what are they?
• What techniques can be implemented to increase the security of user accounts?
• Can software testers detect security flaws before the real attackers do and eliminate them?

3 ways attackers steal passwords

Before talking about securing passwords, let’s list the ways the attacker may take to steal them. Generally, the password can be stolen directly from a user, from the service, or on its way from the client to the service.

Today, we’ll focus on the first option only as it is related to the password security, while two others deal with the web app vulnerabilities and the likelihood of the password being stolen has nothing to do with the password complexity.

So how can attackers break in?

• Performing brute force attacks. Surprisingly, but most of the passwords can be guessed within a specific number of tries. By resorting to this method, hackers will use special tools to enter the password over and over again until it’s cracked. This hacking method is the easiest and least sophisticated.
• Another option is to employ social engineering techniques to learn the user’s credentials, as the human weakness is much easier to penetrate than the network vulnerabilities. This method is more sophisticated and requires psychological skills from the hacker to sound trustworthy and make the victim reveal the data.
• Also the attacker can peep the password at the victim’s working station, install the keylogger to monitor and register all keystrokes typed or simply find a sticker with the password.

You see it’s not that difficult to learn the password if you want to.

Password protection techniques

If the hacker prefers one of the two latter options, the dev team won’t be able to do anything to stop them. However, the first method can be prevented by implementing certain techniques at the software development stage.

Let’s name a few:

• Implement CAPTCHA to prevent bots from automating logging and prove there is a human performing an action.
• Require two-factor authentication with the help of other devices. For example, a user may be asked to enter the code received in an SMS. Another option is to generate a one-time password that will be valid for only one session or transaction.
• You can also restrict a user after several unsuccessful login attempts. However, make sure you won’t block the user forever, just for some period of time.
• Add controls to password minimum length and complexity.
• Ideal password length is 8-12 symbols.
• Make sure your users know that the password may incorporate numbers, Latin characters and special symbols ($, ?, !, <, ”, #, %, @, etc.).
• The combination of number and letters (upper- and lower-case) is reasonable and reliable.

It’s NOT recommended to use:

• Words that can be found in the dictionary as password-cracking tools
• Adjacent keyboard combinations like qwerty, 123456789, qazxsw are also trivial to crack.
• Personal data (first or last name, birth date, passport number, etc.) and also passwords from other services.

Inform your users that it’s also important to make a password that will be not difficult to remember. Most people tend to write long passwords down and stick it to the monitor, which increases the risk of the password being stolen.

You can also develop built-in notifications to remember your users to change the password once in every 90 days, for example.

Also, think about the actions that a user should take if his/her password has been stolen or he/she believes it has been.

What happens if there are no security techniques implemented: a real-world example

If there are any vulnerabilities in the security mechanisms, the abuser who has enough time and desire to get the password will make use of this vulnerability and sooner or later succeed. Getting access to the web site admin panel will enable the abuser to change the web site content.

In one of the projects our engineers were testing the mobile app. The app had a two-factor authentication and the user had to enter his phone number, get a code in an SMS and enter the 4-digit code to log in.

The first things the a1qa engineers paid attention to was that the code was made up of 4 digits, which gave them (and abusers) only 10000 of possible combinations to crack the password.

To make things worse, there was an error in the authentication process: the server didn’t block users after any number of unsuccessful login attempts.

Cracking the password with the specially developed script took our engineers only 15 minutes!

Here is Top Security Threats for Web Apps detected by the a1qa engineers: Part 1 and Part 2.

Penetration testing is a vital part of any effective security strategy

Pen testing allows to assess the security level of the system by running simulated attacks to detect possible entries for the abusers.

Professional pen testing process involves several stages.

At the very beginning, security testing engineers collect all information they can about the victim/client: names, emails, children names, nicknames in social media accounts, etc. Based on this information, dictionaries for password cracking are generated and used to crack passwords.

Social engineering emails, calls, face-to-face contact and other tests on people can be performed to ascertain if they are susceptible to an attack.

When to perform pen testing?

Penetration testing should start only after the application is ready and a full functionality test is completed.

Pen testing results:

• Independent assessment of the system security level
• Detection of all security weaknesses
• List of recommendations to improve with the estimation of time and costs they will take to enable.

Is your users’ data secured? If you have any doubts, set up an obligation-free consultation with the a1qa security testing specialists.

In our previous post security testing engineer Vadim Kulish talked about five threats that took us no long to be detected. Today we continue with the hardest nuts to crack.

#6. Executable files upload

The tested app enabled to upload .exe files that could be accessed using an absolute file path. The contents of the file were checked, while its extension – was not. The files with the php code couldn’t be uploaded either.

When we were auditing the app, we changed the php file by adding HTML elements to its beginning. The .php extension was left untouched. As a result, we got the complete access to the server and could execute console commands.

Root cause: inadequate .exe files check.

Exploitation threat: getting complete control over the web application.

#7. SQL injection

In security testing, SQL injection is a code injection to the legitimate SQL statement that is inserted into an application entry field for execution. SQL injections may be of different types:

• Visible (the results of the attack can be seen by an attacker);
• Blind injections (the results of the injection are not visible and to get the data we apply the brute force search: the character is valid when the app changes its workflow or the time lag appears).

Possible threats of the SQL injection:

• Data theft;
• Authentication bypass;
• Getting server access control.

Sometimes, to automate the process of injection detection we use an open source penetration tool SQLMAP. However, more often we do it manually.

In our case, the injection was detected on the Home page of the website in the Search element.

Root cause: no input data check mechanisms.

Exploitation threat: getting complete access to the application database.

#8. Local files reading

We were testing the multi user application that stored personal data of its users. The app was built with defects and we could input the local file name in our entry and see the file contents.

Exploiting this vulnerability we managed to get a configuration file that allowed us to get in any account in the app. As the application allowed sending and receiving messages we could reset the users’ passwords and get the links the users would receive to change passwords. By following the link we changed passwords and logged into the app.

Root cause: no input data check mechanisms.

Exploitation threat: access to the web application configuration files.

#9. NoSQL injection

You already know that there is such a threat as a SQL injection. Are there NoSQl injections? Of course! Redis, MongoDB, memcached belong to the non-relational databases and malicious users couldn’t pass them by.

NoSQL ≠ No Injection

The main difference is that NoSQL databases don’t support SQL-like languages. Every database may use its own language. That’s why the number of potential threats increases.

When testing the app we dealt with the MongoDB database.

What did we discover?

The app had API that could be queried. The authentication to the app was implemented with a 32-character token that couldn’t be cracked. After giving a thought, we decided to manipulate the parameter. We learnt the MongoDB documentation and found out that it was possible to input regular expressions into the query and thus minimize the data for the query. As a result, the 32-character parameter was cut down to only 4 symbols that could be guessed to enter the app.

Root cause: no input data check mechanisms.

Exploitation threat:  application authentication bypassing.

#10. Race hazard

It’s probably the most interesting vulnerability we’ve ever come across and it was detected in the finance app.

The race hazard or race condition is the result of the multithreaded application poor design. When it occurs, several threads try to get a concurrent access to the shared memory location and at least one of them performs writing. As a result, the reading thread gets wrong values that were previously changed by the writing thread.

What did our team? We tried to create several concurrent queries to the web application. Actually, the web application is a good example of the multithreaded app as it may have many users working with it simultaneously. The key condition is that the writing (either of the file or to the database) should be performed. On our project, the writing was performed into the database. We generated some queries about money transfer and in return got more than we expected!

To make it more clear: for X coins a user gets Y coins. We generated 10 simultaneous queries to exchange X coins for rubles. As a result, X coins were deducted from our account and we were lucky to get 10*Y rubles.

Root cause: wrong application design.

Exploitation threat: money theft.

To avoid all these threats we urge the companies to conduct regular security checks and test the software products for all kinds of vulnerabilities.

By addressing the professional team, you’ll be confident that your solution poses no risks to users.

Security testing team assesses websites, applications and other software products to identify vulnerabilities and threats that can be exploited by abusers. Vadim Kulish, security testing engineer has made a list of 10 most severe vulnerabilities that were detected on real projects.

All vulnerabilities are arranged by the difficulties of detection: the most evident go first and are followed by the trickiest ones. There are also root causes of every vulnerability and exploitation threat.

#1. Google dorks

We’ve already talked about Google Dorks here. Let me remind you in short, Google dorks queries are search operators used in security testing to find information that isn’t readily available on the website.

Here are a few examples of advanced search parameters:

• site: – searches for files located on a particular website;
• filetype: – searches for files of the specified type;
• inurl: – returns results with that sequence of characters in the URL;
• intitle: – returns files with the string in the page title.

Google dorking is also known as Google hacking as it can return information that is not intended for public viewing but has not been adequately protected.

In our case we were performing security analysis of the bank’s website and made the following query: site:example.com filetype:pdf (example.com – customer’s website). The query returned a number of documents in pdf. This vulnerability wouldn’t have been ranked as a major one if these documents weren’t plans of the bank facilities. More than enough data for a massive bank robbery!

Root cause: wrong web server configuration.

Exploitation threat: leak of confidential documents.

#2. Data disclosure

When conducting security audit we always check the following resources for leakages:

• Github (source code, credentials);
• Files containing important information forgotten on the server (backup copies, source code, information about the installed software);
• Builds for developers and testers (as a rule, they run in a debug mode and if there is a mistake, show vital information about the application functioning);
• Pastebin.com (on this website developers exchange useful information about leakages or code threats).

Looking over these resources when testing the e-commerce website, we found a development build of the website on the server. The build contained numerous web application parameters, including, but not limited to those, that could be used for connecting to the PayPal API. Obviously, this data was enough to connect to the shop payment account and leave it without funds.

Root cause: wrong web server configuration.

Exploitation threat: leak of confidential data for PayPal connection.

#3. SSL DoS

DoS (Denial of Service) is a cyber-attack characterized by an attempt by attackers to prevent legitimate users of a service from using that service.

A little bit of technical information before moving to our point. I believe that you know that HTTPS is the secure version of the HTTP protocol. The “s” at the end stands for “secure”. This protocol is used to enable communication between the server and the browser. The communication is encrypted with keys. But if the server is wrongly configured, the client will ask for secure communication establishment several times. The problem is that the load on server in this case will be many times higher than on the client’s side. An average server may process 250-300 secure connection requests, while the computer may generate up to 1 000 requests per second.

Now back to our story. Our team was performing vulnerability analysis of the internet banking and run DoS attacks. Suddenly one of the attacks worked out and crashed the site. This vulnerability was a good one for hackers as it was hard to detect – the DoS attack didn’t crash the website. As soon as the hacking software was turned out, the website resumed working.

Root cause: wrong https server configuration.

Exploitation threat: complete server blocking.

#4. Cracking of one-time password (OTP)

We were testing mobile app and got access to users’ account. The problem was in the vulnerable authentication process. The user got a password over mobile phone and entered it to authenticate in the app. The server generated the OTP and then checked the password sent by the user.

What did we find out? We paid our attention that the password was a digital code composed of 4 digits only. It meant that there were only 10 000 possible combinations. And we decided to check whether the password could be cracked. Ideally, the user should be given only three attempts to enter the password. When the third attempt fails, the server should block the user. However, this wasn’t our case.

Then we decided to act as real users. We sent an SMS from our mobile phone and got the OTP. However we didn’t enter it and started cracking it. It took us only 15 minutes to get the valid password.

That wasn’t the limit as we went further and automated the process of OTP cracking. As a result, we got a little script that allowed getting into the app knowing only the user’s phone number. The harmfulness of that vulnerability was that the cracked app was a messenger and hijacking it we got access to the user’s correspondence. The unconscious real user got no idea what was happening as the only thing he saw was an incoming SMS with four digits.

Root cause: insufficient anti-automation, logical error.

Exploitation threat: access to the application users’ accounts.

#5. Control panel authentication bypass

It was the fastest hacking that us only a minute!

The customer approached us to test the e-commerce website. Looking for bottlenecks in system security we came across the control panel. And in a minute we were looking at it as if we were authorized to do this. How did we manage to do it?

It was due to the HeartBleed vulnerability in the popular OpenSSL cryptographic software library. It was publicly disclosed in 2014 and its exploitation allows to read adjacent server’s or client’s memory not intended to be accessible. In our case it was the HTTPS web server and it stored all requests from users. Exploiting the HeartBleed vulnerability, we managed to get cookie parameters and, as a result, access to the control panel.

Root cause: the application was using vulnerable system components.

Exploitation threat: access to the control panel.

Of course, our customers were promptly notified of these security flaws and got recommendations for their fixing, while our team stayed 100% satisfied with the outcome – we made sure that no app was delivered to customer with such major errors.

Next week we’ll continue with the hardest and most curious security bugs we’ve detected.

What vulnerabilities have you detected? Welcome to the comments!

As e-commerce is gaining its popularity, natural concerns about security arise. The breach of payment details can lead to major losses for any service provider, irrespective of their reputation. To avoid this worst-case scenario, proper security mechanisms should be implemented by the application developers to protect users’ finances and confidential information from being stolen. Alexey Abramovich, security testing manager at a1qa, specifies the most important of them.

A strong and robust application storing users’ payment details is the responsibility of the whole team. Product owner, product manager, developers, testers and designers must be aware of the mechanisms and best practices aimed at making a more robust and safe e-commerce app and stipulate their incorporation.

Implementing e-commerce security mechanisms

First, to make any application storing users’ payment details safer, e-commerce being no exception, there should be proper mechanisms for authentication and authorization. They will make it possible to distinguish between the website visitors’ rights and personal data. The mechanisms are the main attacking vectors and should be as safe as possible because if breached, they will provide access to users’ sessions.

Development teams should apply proper security measures to build a secure e-commerce product that will employ customers’ debit/credit cards.

One measure is to validate all data input by users. This will help avoid all kinds of injections to the application code. It’s also important to implement control over the application and web server configuration to avoid frequent mistakes related to misuse of SSL/TLS protocols. Attackers may benefit from the protocol mistakes and pick up payment data the user inputs to the application.

Every day software companies deal with security testing of the most advanced and sophisticated web solutions. Experience shows that the most dangerous vulnerabilities are multiple kinds of injections to the application code such as SQL injections, JavaScript injections or operating system commands injections. A hacker can use them to steal confidential information.

The second largest vulnerabilities are located on different levels of system composition of the web applications, such as web server, third-party libraries and database servers.

The article was prepared for eSecurity Planet. Read the full version here.

The research of Electronic Frontier Foundation ascertained that only eight IM-messengers were corresponding to all types of security. How can e-criminals get inside our messengers and what can they steal? And more importantly, is there a way application security testing can stop cybercriminals from doing that?

Scripts are not remedy

All five applications (WhatsApp, Viber, Skype, Facebook Messenger, and Google Hangouts) encrypt the network traffic to protect users’ information from interception and modification. Although it’s vital for users’ security this type of protection is quite new.

For a long time, it was common to send images, locations, and links to files freely with no protection at all. But little by little as the applications were spreading within more people they capture the attention of information security specialists. They were finding vulnerabilities and then publishing them in open sources. That pushed developers to start fixing bugs.

If the application has an encrypted code, it still cannot ensure absolute security. Any profile can be hacked and spammed. The reason for insecurity can be simply explained: all applications are made by humans, and if at least one developer made a tiny mistake, the whole application might stay insecure.

Thus a potential criminal almost always has a chance to steal users’ data or disable applications using vulnerabilities developers and testers omitted. Those vulnerabilities can come up on the stage of entering the message. The thing is that even if the message is formed correctly it still may allow doing a random command or denial of service. In this case, personal data can be sold to a third party. The most harmless way to use stolen data is spamming those users with targeting ads. But if a denial of service is happening users will lose access to the application.

Popular vs. secure

All five famous applications described in this article were proved to have at least one security flaw. Are there any flawless IM-messengers? According to EFF, the following IM-messengers correspond to all security requirements:

• CryptoCat
• Signal / RedPhone
• Silent Text
• Silent Phone
• Telegram (secret chats)
• Off-The-Record Messaging for Windows (Pidgin)
• TextSecure
• ChatSecure + Orbot

Unsecured by default

Many users are interested in whether the owners’ IM-clients have access to their private messages and files transferred. According to EFF all five applications compared in this article are not encrypted so the provider can read them. Even Blackberry Messenger which was considered to be well-protected one turned out to be vulnerable.

Facebook Messenger can, however, collect and use your data for advertising purposes. Some would consider this to be ‘spying’ on you, but not in the way that many reports are suggesting.

Going further, Google Hangouts doesn’t support off-the-record (OTR) encryption, which provides a secure, end-to-end connection between users. Using OTR encryption, no one can read your messages – not even your Internet service provider. But no Google service supports OTR encryption, and many privacy advocates, like the EFF, say they should.

Moreover, some applications are not just encrypted but allow bosses to watch their employee chats if they are registered in the special app. It can be said about Slack. Being oriented on corporate communication it allows bosses not just to watch, but even to correct both business and private chats.

As we can see from the EFF rating, the most popular applications remain insecure. At the same time, the applications developed by amateurs and not well known were found to have a high level of security. Anyway, it’s always up to a user which application to choose, a popular and unsecured or secured but little-known one.

Only 20% of IM-messengers can be called secure enough. This is what the research of Electronic Frontier Foundation found after checking almost 40 IM-messengers. The research ascertained that only eight messengers were corresponding to all types of security.

Older than the internet

The system of instant messaging arose earlier than the Internet. Although, the definition of IM-messengers appeared only in 1990s, the first collective systems of exchanging messages emerged in 1960s. In the very beginning they were used as notifying systems, but soon they became available for users registered on the same computer.

Online-chats became popular in 1970s. When BBS (bulletin board system) gained its popularity in 1980s, some systems started implementing chats, which in ten years would be called “instant messengers”.

The first messengers with graphic interfaces emerged with the Internet spreading. Finally, internet-pager with ICQ-system of instant messaging was released in 1996. ICQ-system was extremely popular all over the world, because it has such convenient features as networks statuses and file attaching. It was the first instant messenger that corresponded to the definition of “functional”.

With spreading of mobile phones that had cheap Short Message Service, IM-messengers stayed in shadow. But once smartphones were invented, developers started releasing IM-applications targeted on smartphone users. They differed a lot from the first IM-messengers, reminding social networks, where a profile picture could be added, network statuses were enabled, and file attaching was possible. Since mobile IM-messengers used phone numbers as a login, the problem of adding new contacts was now solved: once user added a new contact to their address book, this contact automatically moved to IM-messenger database.

Ad protection

The most popular messengers today are WhatsApp, Viber, Skype, Facebook Messenger and Google Hangouts. All of those apps use client-server architecture and allow creating groups and chats, as well as transferring files and users’ locations.

The same way big cities attract thieves, popular IM-messengers attract internet-robbers. That’s the reason why the app owners, working with big personal data should care about the highest level of security and run through regular application security testing to ensure it.

The more popular the app is the more ads it will have, the more spam it will be flooded with, the more profiles would be hacked and the more personal data would be stolen. How can you protect yourself in those harsh conditions?

To resist ad spammers all of the messengers mentioned above have the function of the black list, where all spammers are moved. However, this measure loses its effectiveness when the user gets phone number. After changing it they receive a new login and new default settings, which means changing security settings. Now the user has to make his black list again manually.

Moreover, even if you block all spammers, ad messages can still be delivered to your inbox. The thing is that sometimes ads can be sent by your real contacts, whose profiles were hacked and used for sending spam. So far IM-clients add all your phone contacts to the messenger treating them as reliable contacts, and criminals can use this feature to send spam from the profiles of user’s friends.

Previously we discussed which type of security testing you need to define how well your system is protected.

Types of security testing

There are two types of security testing: Penetration testing and Vulnerability Assessment. Each having goals and objectives. The goal of penetration testing is enter a web-application internal infrastructure, cease control over the internal servers or access the important information.

Vulnerability assessment includes more comprehensive system check. Its main goal is to identify system drawbacks and vulnerabilities that can lead to getting unauthorized access or possible users discrediting. All the detected defects get qualified according to the level of risk and influence upon the general system security state. Usually specialists do not exploit the detected vulnerabilities; still it can be done if the parties have agreed.

Above this all, vulnerability assessment takes much time and is often held to comply with standard requirements.

Let`s have a look at a case that shows difference between penetration testing and vulnerability assessment.

Imagine that we`ve detected a bug: absence of HttpOnly security flag in cookie file with identifier of user session. Flag Absence allows stealing user cookie applying cross-site scripting method. In the context of vulnerability assessment this is definitely a defect and it should be described in the final report. Still, for penetration testing this case will considered a defect, if it allowed a tester to access the authorized user account, otherwise the defect won`t be described in the report.

Next criterion for choosing type of security testing is system data provided to analysts. The provided data defines which testing method will be chosen. There can be three of them:

• Black box testing – tester receives none system information except the list of IP-addresses or the website link;
• Grey box testing – testers receive valid accounts and limited system information;
• White box testing – testers get full information about the system: accounts, network maps, technological specifications, web-applications source code.

As you can see the “whiter” your “box”, the more detailed information about system security you get in the end of the testing process, and the more important information third party gets, hence the more expensive and time-consuming the testing process is.

The last criterion is system entry point. This criterion is valid only for performing penetration testing on local network level. In case like this there are two options:

• External penetration test – only external company IP-addresses accessible from the internet are tested;
• Internal penetration test – test is performed inside the corporate network. Testers work inside your team in company office or work via VPN access.

Usually, internal penetration test is performed to comply with requirements of domain standards; or to check security level against inside attacks, i.e. those executed by company staff.

So in a nutshell, we went through all the criteria of choosing security testing method. Combining them you can correctly define your requirements to a testing company. For example, if you need a thorough check of your system, choose a combination of vulnerability assessment and white box penetration testing. If the budget is limited – choose black box penetration testing.

I think this kind of arguments sound much better than “We need security testing”. Use this article to carefully define your needs to testers, don`t waste time on useless talking.

First of all I want to say that if you ever faced the issues of security testing, but really know few about it in practice, this article is what you need to read. If you are a security tester, well, you can use the article for explanation purposes.

So, when security testing is necessary? There are LOTS of reasons, the listed below are basic ones.

Security testing is necessary when:

• There is a corporate network or web application that wasn`t ever check for security issues or it was REALLY long time ago;
• The system was successfully attacked or there was a try;
• New functionality was implemented in a functioning product;
• Layout of corporate network was heavily changed;
• The application was migrated from test environment into manufacturing environment;
• Company follows domain standards (PCI DSS, HIPAA).

In fact, there is a very simple way to define whether you need security testing or not. If you have “something” and this “something” processes important data and can be accessed via the internet – you NEED security testing. What is important data? Everything that is valuable: user personal data, payment cards information, company`s bills, invoices and so on. Even if your application doesn`t store or process important information, do not underestimate possible reputation damage. I think you agree that if someone hacks your website and changes your logo to the competitor`s one, it does you no good.

So, when you finally agree that performing security is a good decision, move to the next step: type of security testing. When you already have security check requirements defined by an outer analyst, it would be much easier to decide. Still, what to do when you literally have nothing?

Option #1: You can approach to a software testing company saying “I have a website/network and want to check its security”, BUT it takes testing specialists several days to define the need and takes you additional costs.

Option #2 (the right one): work out your security testing needs. For that very purpose consider these criteria:

• Define you testing goals
• Collect system data to provide analysts with necessary information
• System entry point (relevant only for testing local networks)

There are two types of security testing: Penetration testing and Vulnerability Assessment.

The goal of penetration testing is enter a web-application internal infrastructure, cease control over the internal servers or access the important information. Doing this testing specialists feign actions of real hackers. The defects detected in the testing process and testing methodology isn`t the main thing here. What is important here is whether the system in its current state is accessible for hackers or not. Testers are to prove that.

Penetration testing takes less time than Vulnerability Assessment and evaluates the efficiency of your security measures.

If you want to know whether it is possible to hack your system, penetration testing is your option.

Next time we`ll go through Vulnerability Assessment and its differences from Penetration testing.

What skills do you need to possess? Operating systems are everywhere today. Every day we send thousands of requests via laptops, smartphones and tablets, but do we remember our data security and confidentiality? The article by Anna Andreeva.

What should you know to test security?

In fact, the growth of web and mobile applications usage causes the leakage of users’ private information. Thus, security testing becomes an essential part of application development in general and web app testing in particular. But what an engineer needs to know to perform security testing?

First of all, you are to understand that security testing is not only about the application itself, but also about environment testing and check of information transfer and storage methods. The QA engineer should know lots of things apart the programming languages.

Of course, when a tester knows the application technology s/he understands where to search for bugs and how to fix them. For example, applications developed applying the ASP.Net by default use the built-in mechanisms of validation data, while the PHP programming language presupposes additional integrations of user entries.

When performing testing procedures keep in mind that application always runs in some operating system: a server, a laptop or a smartphone. Therefore security testing requires knowledge of system administration, and the skills of an experienced user. For example, if access to the server is provided with «low» rights, the engineer should know the way of escalation rights to the admin user. To do this you`ll need to understand how the register operates and how to launch services, processes and events logging systems.

Next thing in this list is knowledge of network technologies. Often hackers do need to attack the application to get the information because it is possible to “steal” it during the transfer process. To prevent it you are to know OSI model, package structure and the network routing process.

For firewall security testing also requires for special knowledge. What you should understand here is performing of checks from process incomplete, bypassing the “fire wall” through trusted processes and the ability tested products to block execution of unauthorized code in kernel mode.

SQL injection is one of the most critical OS`s vulnerabilities. It provides access to the information stored in the application data base. Thus the knowledge of SQL request language and its dialects is necessary for a full scale security testing. Remember a successful attack doesn`t end on simple select requests.

To check the protection against the cross-site scripting, hackers integrate harmful HTML/CSS/Javascript code in DOM-markup or in a request, which allows them to redirect user to the necessary resource and block application processes or “steal” the session variables. To run this check you need the knowledge HTML, CSS and Javascript.

Poor algorithms of data encryption can also become the reason of information leakage. To detect this vulnerability an engineer should know cryptography basics and what methods of data encryption protect information and algorithms are really poor for information security. For example, protocol SSL v2 is used to transfer data between a client and server and it is considered to be quite vulnerable. Specialists advise to exchange it for SSL v3/TLS v1 protocols.

On the whole, security testing demands for specialized knowledge. It is not obligatory to have extended programming skills, but you are to have basic understanding of different technologies, their pros & cons. If you need to bypass data validation, then you are to understand how programming languages “process” user entries. To integrate SQL-request, an engineer should understand how connecting line is formed and how information gets to database, what returns to users.

For security testing programming language is a tool for information processing. To detect a defect it is unnecessary to write encrypting algorithms or to obfuscate the code while the program running, but you are to know what is variable, array, class, structure and understand how the entities cooperate.

In the end, I want to say that programming languages are not the key of successful security checks. But the understanding of application basic operating principals, their influence upon the used technologies, operating system and configuration is a-must.