Investing on prevention vs investing on cure – Testing common vulnerabilities in the World Wide Web.

Do you remember the last time you lost something valuable, something that would cost you a sentimental value? Believe me it is better than the only breadwinner in the family losing their monthly income as the company they worked for lost more than $6 trillion each year, the reason behind it being the most critical crime of all times CYBERCRIME!!! If you don’t wish your company to be included in this figure, mind it being time up to increase investment on cyber-security testing.

Today’s world is becoming increasingly networked in connection and every business / entrepreneurship has one or more web applications, which is why the scope of potential exploits is extremely increasing and mind blogging.

Would you like to see the company you work for on news? Yes, if it’s for something like free publicity, increasing brand awareness as well as enhancing brand identity and popularity, well if it’s not and if it is for a negative context having a diminish on the brand identity causing a huge financial loss. This is why it is crucial to ensure that your applications are tested and secured.

Chances of Vulnerabilities are high and so is the cost

According to statistics on legal and compliance guides “the average consolidated total cost of a data breach is $3.8 million.”

There are various types of costs with regards to security breaches and vulnerabilities on WWW.

Reduction and loss of revenue: Occurring due to stolen corporate data or consecutive decrease on sales volume
Cost incurred on Investigation: An investigation process eats up your time, energy and most importantly money.
Cost of downtime: Time spent on fixing breaches vs time spent on Innovation

Moving on to what is a vulnerability and how it can be prevented through testing

Vulnerability
Inability to withstand the effect of a hostile environment

Vulnerability in WWW
A weakness in a web application which allows a malicious user to disturb web application’s security objective(s)

Exploit in WWW.
Taking advantage of a web application’s flaws and carrying out unauthorized activities related to the system

Attacks

Active Attacks – Attempts to modify a system’s state by altering its resources and operations.
Denial of Service (DOS)
Spoofing
Passive Attacks – Attempts to learn or gather information about a system, yet it doesn’t alter system’s resources or operations.

Advanced Persistent Threat (APT)

A malicious user/ party gains unauthorized access to a system and unauthorized activities are carried out
for an extended period of time without being detected.

Politically or Commercially motivated
Stay undetected
Longer period
Most often data theft

Warning Signs

Abnormal internet bandwidth usage
Abnormal patterns in network traffic
Detection of Trojans and other malware
Detection of aggregated data bundles

SQL Injection

Malicious user passes (injects) a SQL script or a part through a web application’s input field
Alters the developer intended behavior of the SQL query.

Importance of Security Testing in order to minimize the risk

Software security testing services helps in identifying implementation errors that were not discovered during code reviews, risk analysis, especially at the design level, can help us identify potential security problems and their impact.

It is a well-known fact that earlier the defect is detected the lesser impact it will make on the project. Therefore, giving high attention to security testing and reducing the risk the project will face is immensely important.

References

Different types of security tests

Importance of Security Testing

SQL Injections

Verushka Thilakarathne

Senior QA Engineer