Top 20 practical software security testing tips for Pentesters (Security Testers)

1) Learn to analyze your test results thoroughly. Do not ignore the test result. The final test result may be ‘pass’ or ‘fail’ but troubleshooting the root cause of ‘fail’ will lead you to the solution of the problem. Testers will be respected if they not only log the bugs but also provide solutions.

2) Learn to maximize the test coverage every time you test any application. Though 100 percent test coverage might not be possible still you can always try to reach near it.

3) To ensure maximum test coverage break your application under test (AUT) into smaller functional modules. Write test cases on such individual unit modules. Also if possible break these modules into smaller parts.

E.g: Lets assume you have divided your website application in modules and ‘accepting user information’ is one of the modules. You can break this ‘User information’ screen into smaller parts for writing test cases: Parts like UI testing, security testing, functional testing of the ‘User information’ form etc. Apply all form field type and size tests, negative and validation tests on input fields and write all such test cases for maximum coverage.

4) While writing test cases, write test cases for intended functionality first i.e. for valid conditions according to requirements. Then write test cases for invalid conditions. This will cover expected as well unexpected behavior of application under test.

5) Think positive. Start testing the application by intend of finding bugs/errors. Don’t think beforehand that there will not be any bugs in the application. If you test the application by intention of finding bugs you will definitely succeed to find those subtle bugs also.

6) Write your test cases in requirement analysis and design phase itself. This way you can ensure all the requirements are testable.

7) Make your test cases available to developers prior to coding.Don’t keep your test cases with you waiting to get final application release for testing, thinking that you can log more bugs. Let developers analyze your test cases thoroughly to develop quality application. This will also save the re-work time.

8 ) If possible identify and group your test cases for regression testing. This will ensure quick and effective manual regression testing.

9) Applications requiring critical response time should be thoroughly tested for performance. Performance testing is the critical part of many applications. In manual testing this is mostly ignored part by testers due to lack of required performance testing large data volume. Find out ways to test your application for performance. If not possible to create test data manually then write some basic scripts to create test data for performance test or ask developers to write one for you.

10) Programmers should not test their own code. As discussed in our previous post, basic unit testing of developed application should be enough for developers to release the application for testers. But you (testers) should not force developers to release the product for testing. Let them take their own time. Everyone from lead to manger know when the module/update is released for testing and they can estimate the testing time accordingly. This is a typical situation in agile project environment.

11) Go beyond requirement testing. Test application for what it is not supposed to do.

12) While doing regression testing use previous bug graph (Bug graph – number of bugs found against time for different modules). This module-wise bug graph can be useful to predict the most probable bug part of the application.

13) Note down the new terms, concepts you learn while testing. Keep a text file open while testing an application. Note down the testing progress, observations in it. Use these notepad observations while preparing final test release report. This good habit will help you to provide the complete unambiguous test report and release details.

14) Many times testers or developers make changes in code base for application under test. This is required step in development or testing environment to avoid execution of live transaction processing like in banking projects. Note down all such code changes done for testing purpose and at the time of final release make sure you have removed all these changes from final client side deployment file resources.

15) Keep developers away from test environment. This is required step to detect any configuration changes missing in release or deployment document. Some times developers do some system or application configuration changes but forget to mention those in deployment steps. If developers don’t have access to testing environment they will not do any such changes accidentally on test environment and these missing things can be captured at the right place.

16) It’s a good practice to involve testers right from software requirement and design phase. These way testers can get knowledge of application dependability resulting in detailed test coverage. If you are not being asked to be part of this development cycle then make request to your lead or manager to involve your testing team in all decision making processes or meetings.

17) Testing teams should share best testing practices, experience with other teams in their organization.

18) Increase your conversation with developers to know more about the product. Whenever possible make face-to-face communication for resolving disputes quickly and to avoid any misunderstandings. But also when you understand the requirement or resolve any dispute – make sure to communicate the same over written communication ways like emails. Do not keep any thing verbal.

19) Don’t run out of time to do high priority testing tasks.Prioritize your testing work from high to low priority and plan your work accordingly. Analyze all associated risks to prioritize your work.

20) Write clear, descriptive, unambiguous bug report. Do not only provide the bug symptoms but also provide the effect of the bug and all possible solutions.

Don’t forget testing is a creative and challenging task. Finally it depends on your skill and experience, how you handle this challenge.

U.S. spied on United Nations by hacking into video conferencing system at New York headquarters: report

The German magazine Der Spiegel says the U.S. National Security Agency secretly monitored the U.N.’s internal video conferencing system by decrypting it last year.


The weekly said Sunday that documents it obtained from American leaker Edward Snowden show the NSA decoded the system at the UN’s headquarters in New York last summer.
Quoting leaked NSA documents, the article said the decryption “dramatically increased the data from video phone conferences and the ability to decode the data traffic.”

AP Photo/The Guardian, FileEdward Snowden, who worked as a contract employee at the U.S. National Security Agency, in Hong Kong.

In three weeks, Der Spiegel said, the NSA increased the number of decrypted communications at the UN from 12 to 458.
Snowden’s leaks have exposed details of the United States’ global surveillance apparatus, sparking an international debate over the limits of American spying.
The U.S. government’s efforts to determine which highly classified materials the leaker took from the National Security Agency have been frustrated by Snowden’s sophisticated efforts to cover his digital trail by deleting or bypassing electronic logs, government officials told The Associated Press. Such logs would have showed what information Snowden viewed or downloaded.
The government’s forensic investigation is wrestling with Snowden’s apparent ability to defeat safeguards established to monitor and deter people looking at information without proper permission, said the officials, who spoke on condition of anonymity because they weren’t authorized to discuss the sensitive developments publicly.
The disclosure undermines the Obama administration’s assurances to Congress and the public that the NSA surveillance programs can’t be abused because its spying systems are so aggressively monitored and audited for oversight purposes: If Snowden could defeat the NSA’s own tripwires and internal burglar alarms, how many other employees or contractors could do the same?
In July, nearly two months after Snowden’s earliest disclosures, NSA Director Keith Alexander declined to say whether he had a good idea of what Snowden had downloaded or how many NSA files Snowden had taken with him, noting an ongoing criminal investigation.

SAUL LOEB/AFP/Getty ImagesThe National Security Agency (NSA) headquarters at Fort Meade, Maryland, as seen from the air, in this January 29, 2010 file photo. The NSA has said that it destroys all data it isn't supposed to see.

NSA spokeswoman Vanee Vines told the AP that Alexander “had a sense of what documents and information had been taken,” but “he did not say the comprehensive investigation had been completed.” Vines would not say whether Snowden had found a way to view and download the documents he took without the NSA knowing.
In defending the NSA surveillance programs that Snowden revealed, Deputy Attorney General James Cole told Congress last month that the administration effectively monitors the activities of employees using them.

These decisions are made to make sure that nobody has done the things that you’re concerned about happening

“This program goes under careful audit,” Cole said. “Everything that is done under it is documented and reviewed before the decision is made and reviewed again after these decisions are made to make sure that nobody has done the things that you’re concerned about happening.”
The disclosure of Snowden’s hacking prowess inside the NSA also could dramatically increase the perceived value of his knowledge to foreign governments, which would presumably be eager to learn any counter-detection techniques that could be exploited against U.S. government networks.
It also helps explain the recent seizure in Britain of digital files belonging to David Miranda – the partner of Guardian journalist Glenn Greenwald – in an effort to help quantify Snowden’s leak of classified material to the Guardian newspaper. Authorities there stopped Miranda last weekend as he changed planes at Heathrow Airport while returning home to Brazil from Germany, where Miranda had met with Laura Poitras, a U.S. filmmaker who has worked with Greenwald on the NSA story.

Marcelo Piu/AFP/Getty ImagesDavid Miranda (left), the Brazilian partner of Glenn Greenwald, a U.S. journalist with Britain's Guardian newspaper who worked with intelligence leaker Edward Snowden to expose US mass surveillance programmes, is pictured at Rio de Janeiro's Tom Jobim international airport upon his arrival on August 19, 2013. British authorities faced a furore after they held Miranda for almost nine hours under anti-terror laws as he passed through London's Heathrow Airport on his way home to Rio de Janeiro from Berlin.

Snowden, a former U.S. intelligence contractor, was employed by Booz Allen Hamilton in Hawaii before leaking classified documents to the Guardian and The Washington Post. As a system administrator, Snowden had the ability to move around data and had access to thumb drives that would have allowed him to transfer information to computers outside the NSA’s secure system, Alexander has said.
In his job, Snowden purloined many files, including ones that detailed the U.S. government’s programs to collect the metadata of phone calls of U.S. citizens and copy Internet traffic as it enters and leaves the U.S., then routes it to the NSA for analysis.
Officials have said Snowden had access to many documents but didn’t know necessarily how the programs functioned. He dipped into compartmentalized files as systems administrator and took what he wanted. He managed to do so for months without getting caught. In May, he flew to Hong Kong and eventually made his way to Russia, where that government has granted him asylum.
NBC News reported Thursday that the NSA was “overwhelmed” in trying to figure what Snowden had stolen and didn’t know everything he had downloaded.
Insider threats have troubled the administration and Congress, particularly in the wake of Bradley Manning, a young soldier who decided to leak hundreds of thousands of sensitive documents in late 2009 and early 2010.
Congress had wanted to address the insider threat problem in the 2010 Intelligence Authorization Act, but the White House asked for the language to be removed because of concerns about successfully meeting a deadline. In the 2013 version, Congress included language urging the creation of an automated, insider-threat detection program.

Indian Government buying deep surveillance, monitoring equipment ---> Mobile is spy for Indians

Amid a raging global debate on privacy versus surveillance, monitoring and use of intrusive technologies by governments, the Directorate of Forensic Sciences in the Ministry of Home Affairs (MHA) is set to purchase a range of equipment and software that will allow it to conduct deep search, surveillance and monitoring of voice calls, SMS, email, video, Internet, chat, browsing and Skype sessions on an unprecedented scale.

The shopping list may help the government counter crime and terrorism but civil liberties advocates worry about the misuse of these technologies against ordinary citizens, especially given the absence of strong privacy protection.

The MHA document of July 12, 2013 also lists software-based tool kits for logical level analysis of GSM and CDMA mobile phones — which will comprehensively cover phones and SIMs used by India’s 860 million subscribers across 2G and 3G networks. This will be capable of extracting the phone’s basic information and SIM card data, including in your phonebook and contact list, call logs, caller group information, organizer, notes, live and deleted SMSs, web browser artifacts, multimedia and email messages with attachments, multimedia image audio and video files and details of installed applications, their data, traffic and sessions log. It will allow access to iPhone backup analysis, including those which are password protected. Blackberry, considered safe by unsuspecting users, will also be fair game, since it will support Blackberry IPD backup analysis, even when password protected.

Mobiles and SMS

The specialised hardware on the MHA’s list will be able to extract all data, including call logs, phone books, SMS, email messages along with attachments, MMS, calendars, including passwords and location information. It will be able to read SIM cards and extract SIM-card-related information along with all user information on the SIM card, like phone call register and text messages, even if they have been deleted. The software will be capable of data authentication by hashing algorithms, and will even access deleted phone information by recovering or bypassing passwords. Special forensic kits are being brought in for Chinese mobile phones.

Bypassing passwords

Hardware forensic imaging devices with the capability to acquire data from live systems and content-based images are being procured. The capabilities also include the ability to search for key words in the suspected media and to acquire data over a network. Essentially, this would mean blind, across-the-board search on mass data rather than a targeted search based on an authorised target phone number, email or IP address.

The MHA is also set to acquire software for forensic previewing, for analysis of digital media and smartphones. This can acquire date from various types of storage media including in multi-sessions. It can support Windows, Unix, Linux, Sun, Solaris, Macintosh, Apple’s iOS, Android, Blackberry, HP’s palm OS, Nokia Symbian, Windows Mobile OS, etc. The software will be capable of decrypting volumes, folders and files of suspected media including that which is subject to various types of encryption — including 32 and 64-bit systems.

Software is also being ordered for previewing, image mounting, password cracking and forensic analysis of digital media. This would allow recovering folders, expanding compounded files, saved email data bases, extracting artifacts, time line analysis, and registry log analysis. It will allow the government to auto-detect passwords of protected files and their decryption across a range of encryptions.

The new forensic tool will automatically check for disk encryption, including Truecrypt, PGP, Bitlock and Safeboot. This forensic tool will be capable of collecting and recovering artifacts from live and off-line systems when using cloud artifacts like Dropbox, Carbonite, Skydrive, Googledocs, Google Drive and Flickr. It will link into, and extract data out of, users’ social networking pages like Facebook, Twitter, Bebo Chat, Myspace Chat, Google+ and Linkedin. Similarly, webmail applications like Gmail, Yahoo, Hotmail and instant messenger chat can be targeted through this kit. Instant messenger chat like GoogleTalk chat, Yahoo chat, MSN/Windows Live Messenger, AOL, Skype, ICQ, World of War Craft, Second Life and Trillian, will all be open to collection of artifacts, whether live or offline. The system will also accurately target web browser activity on Internet Explorer, Firefox, Google Chrome, Apple Safari, Opera, Google Maps, etc.

The MHA is one of the nine authorised departments, along with IB and RAW, which is allowed to order surveillance and monitoring of citizens under the Indian law. It has been in the news for being closely involved in the implementation of a nationwide Central Monitoring System covering mobile and Internet users.