Wednesday, June 6, 2018

Security Testing | Security 4 No0bs - Whats the RISK?

Risk Assessment:

Web Application Security Testing (pt.3)


Hey all,

In my previous post - Requirements - The Gathering - I briefly discussed requirements best-practices and what it takes to get to analyzing a story and drafting best possible test scenarios. From these scenarios, we get a list of potential requirements for the feature - in this case, login. With that, let's discuss risk assessment.

Below is the list of requirements derived from the previous post
  • Login form fields are required
  • Login form allows for only alpha-numeric data; where expected special characters are permitted
  • Login username is to allow a finite number of text (or check for e-mail input)
  • Login password field allows a finite number of characters, of a particular format
  • Login form field password text field is to be masked
  • Login error messages must be in the right font-style and color
  • Login error messages must not communicate what the expected input should be
  • Login authentication must redirect user the proper destination - cannot be hijacked
  • Login session is managed server-side
  • Login url must not past authentication parameters
  • Login authentication cannot be manipulated in any way, giving non-auth'd users admin privileges

Now, let's look into: Threat Modeling

source: https://www.owasp.org/index.php/Threat_Risk_Modeling Threat modeling consists of 5 basic steps:

1. Identify Security Objectives

2. Survey the Application

3. Decompose it

4. Identify Threats

5. Identify Vulnerabilities

No comments:

Post a Comment