SOFTWARE QUALITY

ASSURANCE
Course Outline
Course Outline (Cont….)

Course Contents
Lecture 11 Cost of Quality
Lecture 12 Software Quality Metrics
Lecture 13 Introduction of Testing Tool (Guest Lecture)
Lecture 14 Course Recap
 LECTURE # 14

APPLICATION’S SECURITY
TESTING
Application Security Testing
(AST)
What is AST?
 Application security testing (AST) is the process of making
applications more resistant to security threats, by identifying
security weaknesses and vulnerabilities in source code.
 It was started as manual process.
 The large number of known vulnerabilities and threat vectors
require AST to be conducted using tools.
Broad Categories of AST

 Static Application Security Testing - SAST

 Dynamic Application Security Testing – DAST
 Interactive Application Security Testing - IAST)
SAST
 SAST inspects static source code and reports on security
weaknesses.
 This is what's known as a white box security testing
technique.
 Static testing tools can be applied to non-compiled code to
find issues like syntax errors, math errors, input validation
issues, invalid or insecure references.
 They can also run on compiled code.
 Insider (For Web apps)
 MOBSF (For Mobile apps) etc.
DAST
 In DAST, source code is executed and inspected in runtime,
detecting issues that may represent security vulnerabilities.
 It include issues with query strings, requests and responses,
the use of scripts, memory leakages, cookie and session
handling, authentication, execution of third-party components,
data injection etc.
 DAST tools take a black box testing approach. 
 Acunetix (For Web apps)
 Netsparker (For Web apps)
 Nikto (For Web apps)
IAST
 Combination of SAST and DAST to detect a wider range of
security weaknesses. 
 This is known as a grey box security testing technique.
 Like DAST tools, IAST tools run dynamically and inspect
software during runtime. However, they are run from within
the application server, allowing them to inspect compiled
source code like SAST tools do.
Penetration Testing
 Also known as pen test.
 A simulated cyber attack against your
computer system to check for exploitable
vulnerabilities.
 In the context of web application
security, penetration testing is
commonly used to augment a web
application firewall (WAF).
Penetration Testing Stages
 The pen testing process can be broken down into
five stages.
Penetration Testing Methods
 External Testing
 Internal Testing
 Blind Testing
 Double-blind Testing
 Targeted Testing
Penetration Testing Methods
 External Testing
It targets the assets of a company that are visible on the internet,
e.g., the web application itself, the company website, and
email and domain name servers (DNS). The goal is to gain
access and extract valuable data.

 Internal Testing
In an internal test, a tester with access to an application behind
its firewall simulates an attack by a malicious insider. This
isn’t necessarily simulating a rogue employee. A common
starting scenario can be an employee whose credentials were
stolen due to a phishing attack.
Penetration Testing Methods
 Blind Testing
In a blind test, a tester is only given the name of the enterprise
that’s being targeted. This gives security personnel a real-time
look into how an actual application assault would take place.

 Double-blind Testing
In a double blind test, security personnel have no prior
knowledge of the simulated attack. As in the real world, they
won’t have any time to shore up their defenses before an
attempted breach
Penetration Testing Methods
 Targeted Testing
In this scenario, both the tester and security personnel work
together and keep each other appraised of their movements.
This is a valuable training exercise that provides a security
team with real-time feedback from a hacker’s point of view.
SQL Injection (SQLi)
 SQL injection is a web security
vulnerability that allows an attacker to
interfere with the queries that an
application makes to its database.
 It generally allows an attacker to view
data that they are not normally able to
retrieve.
 Transform the innocent SQL calls to a
malicious call.
 Key Idea:
 Input data from the application is
executed as code by the interpreter.
 How it works?
Attacker
1. App sends Form to user. Form
2. Attacker submits form with User
SQL exploit data.
Pass ‘ or 1=1--
3. Application builds string
with exploit data.
4. Application sends SQL query
to DB. Firewall
5. DB executes query, including
exploit, sends data back to
application.
6. Application returns data to
user.
Web Server DB Server
SQL Injection Attack #1
 Unauthorized Access Attempt:
password = ’ or 1=1 --
 SQL statement becomes:
select count(*) from users where username = ‘user’
and password = ‘’ or 1=1 --
 Checks if password is empty OR 1=1, which is always true,
permitting access.
SQL Injection Attack #2
 Database Modification Attack:
password = foo’; delete from table users
where username like ‘%
 DB executes two SQL statements:
select count(*) from users where username = ‘user’ and password
= ‘foo’
delete from table users where username like ‘%’
Injecting into SELECT

 Most common SQL entry point.

SELECT columns
FROM table
WHERE expression
ORDER BY expression
 Places where user input is inserted.
WHERE expression
ORDER BY expression
Table or column names
Injecting into INSERT
 Creates a new data row in a table.
INSERT INTO table (col1, col2, ...)
VALUES (val1, val2, ...)
 Requirements
Number of values must match # columns.
Types of values must match column types.
 Technique: add values until no error.
foo’)--
foo’, 1)--
foo’, 1, 1)--
Injecting into UPDATE
 Modifies one or more rows of data.
UPDATE table
SET col1=val1, col2=val2, ...
WHERE expression
 Places where input is inserted
SET clause
WHERE clause
 Be careful with WHERE clause
’ OR 1=1 will change all rows
 Impact of SQL Injection
1. Leakage of sensitive information.
2. Reputation decline.
3. Modification of sensitive
information.
4. Loss of control of db server.
5. Data loss.
6. Denial of service.