Bhushan Gupta, Gupta Consulting, LLC.
Most web application security testing efforts are concentrated around penetration testing which is an art based on hacker’s psyche, thought process, and determination to exploit vulnerabilities. But, does it yield high level of confidence and sense of security in a developer’s mind? The answer is a “may be” especially when the bad guy is obsessed with figuring out new exploits to hack your application. The web application developers have begun to think about intrinsic security that is, building security throughout the SDLC. We build applications based upon well-formed customer requirements. Why should we not, then, build our applications based upon the fundamental principles of security and then harden security from the hacker’s perspective?
This paper discusses an approach that aligns the web application security testing with the three basic principles of security namely, Confidentiality, Integrity, and Availability. The approach first establishes the requirements dictated by each element of CIA especially Confidentiality as it places the most stringent requirements on an application. Using the STRIDE model, the paper illustrate the most vulnerable processes in an application thus highlighting the test-intensive areas. It then deduces acceptance criteria and illustrates thought process to develop a test plan which spans over both static and dynamic (traditional testing) code analysis. The paper continues to demonstrate how to apply the DREAD model to prioritize the vulnerabilities found during testing to facilitate the removal of the most critical vulnerabilities first.