Agile Security Threat Modeling

Agile Security Threat Modeling

In Agile/ XP / DevOps development environment many of organizations just ignore or give less priority for the security testing until the security bugs are identified by the hacker or professional security expert. My aim is to bring a light on the “Agile Security Threat Model” that help to move fast on security testing in early stage of development which help to save money spent on security testing and help to build the safe application for the end users.

Agile-Security-Threat-Modeling

Step 1: Identify the known threads in the system (Infrastructures/Entry points/ Endpoints).
Investigate about your – DFD, UML, Entry Points, API, A privilege boundary separates processes, entities, nodes and other elements that have different trust levels.

Step2:  Rank / categorize the threads in order to decreasing risk.
Rank / categorize your security bugs – Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service, and Elevation of privilege.

Step3:  Understand and develop Responding strategy.
Build your responding strategy – Improve in the code / programming, Improve the Infrastructures/Entry points/ Endpoints security.

Step4: Identifying & implementing the techniques to mitigate threads.
implement solutions – coding / programming standards with security & Implement Infrastructures/Entry points/ Endpoints security standards.

Step5: Test
Test you application – Try to hack your application like a “Bad Boy”.

Reverse Engineering For Improving Password Security

Hi,

Today I like to share a simple reverse engineering technique to get a safe password for your email or whatever use.

Most of time passwords are encrypted in the format of the any of the below given algorithm

FSB ECOH GOST HAS-160 HAVAL LM hash MDC-2 MD2 MD4 MD6 N-Hash RadioGatún RIPEMD SipHash Snefru SWIFFT Tiger VSH WHIRLPOOL crypt(3) (DES)

MD5 algorithm is a widely used cryptographic hash function.

Most of time passwords are leaked due to hacker attacks or severs / databases.

First Step – Convert your guessed password to md5 encrypt format using online website www.md5encryption.com (there are many free to use website if you search in google “md5 encrypt”)

md5-encrypt

Now copy your MD5 Hash code and paste in Second step

Second Step – Find your guessed password already leaked database or decrypted
http://www.hashkiller.co.uk/md5-decrypter.aspx (this is most famous website to find the decrypted text)

MD5-hash-decrypted

If you found your password there then never use that password, because it is already leaked.

 

Free testing tools for windows application

Free testing tools for windows application – UI test automation

1. Framework QTestLib
First, consider the framework QTestLib, which is responsible for unit testing in QT. Unfortunately for UI test it provides much less opportunity than to write unit-tests. Only function for GUI-testing simulation is QTestLib mouse and keyboard.

C in terms of test automation, this option is not the most optimal. When using it, is a mixture of unit-tests (developed by programmers) and GUI-test (developed by testers). In addition, it is important not only to click on a particular coordinate window, but also to get control properties and perform patterns realized by this control. So stay on it will not, and move on to more functional tools. Those who want to learn about the framework, QTestLib more can read Chapters 3 and 4 textbook QTestLib .

2. UI Automation
UI Automation – a technology that uses to access the interface control mechanism Microsoft Active Accessibility (MSAA). It appeared for a long time, with the release of Windows Presentation Foundation. Many commercial solutions (eg, Ranorex) using UI Automation to access control.

Each element is represented as an object AutomationElement, which defines its basic identifiers. Some controls can implement so-called patterns. For example, the pattern ExpandCollapsePattern serves to collapse and expand the menu item. For supported patterns used method GetSupportedPatterns. To find control with the specified property value class is used PropertyCondition.

When writing tests identifiers controls, their properties and possible patterns convenient to look at the utility UISpy. Read here more

3. White framework
White framework is an extension of UI Automation, which makes access to the controls and their properties more comfortable. You can find it here . All features listed for UI Automation, touch and White.
To understand the advantages when you use it, remake the original example of using this framework.

4. PowerShell Extensions
Test automation is available with built-in tools Windows: powershell, as well as expanding UI Automation PowerShell Extensions. Extensions can find here . This tool allows you to make testing more flexible and relatively independent of the runtime. For example, when testing the configuration you can simply copy the scripts on virtual machines, where they will be executed. No additional software (except UIAutomation . dll) software is required.

Different types of software testing

Different types of software testing – “Go back to the school “

Functional testing
Functional testing – one of the main types of program verification. The purpose of functional testing – verification of the application. Usually functions of the system are described in the technical specifications in the form of requirements or user scenarios (use case). Based on the specifications developed test scenarios (test cases) and checklists. Then you define priorities, according to the test strategy. Test stsenrii sorted by priority and execution time, and combined into a test plan.

Exploratory testing
Exploratory testing (ad hoc testing – functional testing subspecies. It is used in growing projects with agile development, where there is no clear documentation and requirements. Exploratory testing – aerobatics in software testing. Qualitative testing is available with highly qualified professionals and almost entirely dependent on artist, his experience, knowledge (as in the subject area and in metodoikah testing), the ability to quickly penetrate into the essence.

Load testing
Load testing – the process of analyzing the performance of the system being tested under load. The purpose of stress testing, to determine the ability of applications to external loads. Typically, tests are carried out in several stages.

1. Generate test scenarios

To effectively analyze the scenarios should be closest to the real usage scenarios. It is important to understand that exceptions are always possible, and even the most detailed test plan may not cover individual case.

2. Development testbed

Having test cases, it is important to distribute the load ascending order. For analyzing the evaluation criteria necessary to allocate capacity (speed of response, query time, etc.).

3. Conducting tests

Tests are important to promptly enforce scenarios and response system under test. To simulate high loads requires serious hardware and software infrastructure. In some cases, to reduce the cost of works applied mathematical modeling techniques. Taking as a basis the data obtained at low loads, and approximated. The higher simulated load, the lower estimation accuracy. However, this method significantly reduces costs.

Test Automation
The main feature of automated testing – the ability to rapidly conduct regression tests. The main advantages of automation (according to the report of Worksoft) is to increase the efficiency of the staff, earlier detection of defects and higher quality business processes. These advantages are offset by a significant drawback: the high cost – due to the high price of implementation and support of test automation, about 50% of companies still use mostly manual testing.

Usability Testing
Any application is created in order to use it. Ease of use – an important indicator of the quality of the program. IT industry is littered with examples where projects took off after a successful fix usability. The wider the audience, the more important factor in usability. Usability testing includes a detailed analysis of user behavior. To assess ergonomics is important to have data not only on the speed of business problems, but also about emotions member, facial expression, tone of voice.

Configuration testing
Configuration testing gives confidence that the application will work on different platforms, and it means that the maximum number of users. For Web applications usually choose testing for cross-browser. For Windows applications – testing on different operating systems and bit depth (x86, x64). An important component configuration testing is a test infrastructure: for testing must constantly maintain the park test machines. Their number varies from 5 to several tens.

Integration Testing
If your project has more than one component, it needs integration testing. For complex application architecture necessary to ensure the quality is to check on the interaction of the parts of the program. Testing is achieved by the development and implementation of “through” cases. Integration testing is performed after the component. Therefore it is very important to consider the experience of component testing, while respecting the business orientation of the test cases.

Stress testing
Any system has a limit of normal functioning. When the limit is exceeded the system falls into a state of stress and significantly changes its behavior. Stress testing checks the application in conditions exceeding the proposed normal functioning. This is especially important for the “critical” programs: banking software, programs aviation industry, and medicine. Stress testing is carried out not only at the stage of software development, but also throughout the entire cycle of operation for the purpose of data acquisition and processing system behavior over a long period of time.