All companies that create software necessarily do varying degrees of internal testing. There are numerous types of which can include: unit, system or "end-to-end", regression, performance, load or "stress", accessibility and security. Yes, that is a LOT and it's only a sample! Having a dedicated team of specialists for this purpose is ideal, but anyone that works with the same product daily is bound to start forming specific "patterns" and eventually develop blind spots. This can be chalked up to human nature, but it does not alleviate the associated problems. Often a fresh set of eyes can help lead to new perspectives and findings. When those eyes are exceedingly skilled as well, the benefits are that much greater. For these reasons, we here at PistolStar partner with Veracode to augment our own testing. Veracode provides numerous services for security testing but the two most important for PortalGuard are its "static" analysis and Manual Penetration Testing (MPT).
Static analysis involves automated scanning of the binary files such as Dynamic Link Libraries (DLLs) and executables (EXEs). Veracode's static scanning engine supports numerous programming languages and can integrate right within a company's Software Development Lifecycle to automatically upload new versions for static scanning. This type of scanning is helpful for uncovering potential logic and programming flaws that would otherwise be difficult to detect. These can range from buffer overflow or underflow, improper error or type checking, and enumeration/loop control issues. Any findings have clear descriptions, examples and links to authoritative sources like Mitre's CWE database on how best to reconcile the issue. The use of Veracode's static scanning service over the years has helped ingrain a defensive programming mindset here at PistolStar which is crucial to writing secure code.
The other service of paramount importance is Manual Penetration Testing. This entails actual humans scrutinizing the network/protocol traffic and analyzing it for behaviors or issues that can be used either singularly or chained together to circumvent the security of the system. Some high-level categories of these attacks are:
- Abuse of Functionality - Exploiting business logic errors or misappropriation of programmatic resources. This could be mis-using APIs or features like self-service.
- Spoofing - Impersonating entities or trusted resources – this could be accounts, devices or services (e.g. DNS).
- Probabilistic Techniques - Using predictive capabilities or exhaustive search techniques to derive or manipulate sensitive data. These attacks capitalize on the availability of computing resources or the lack of randomness in certain values (e.g. session cookies).
- Exploitation of Authentication – Attempting to bypass authentication requirements to access protected resources.
- Exploitation of Privilege/Trust - Undermining the application's trust model in order to gain access to protected resources or gain additional levels of access as defined by the application.
- Injection - Inserting unexpected inputs to manipulate control flow or alter normal business processing. The well-known SQL injection attack falls under this category.
- Data Structure Attacks - Supplying unexpected or excessive data that results in more data being written to a buffer than it can hold. Buffer overruns can result in a program executing unintended code elsewhere on the system.
- Data Leakage Attacks – Looking for potentially confidential information exposed through stack traces or error messages.
- Time and State Attacks - Undermining state condition assumptions made by the application or capitalizing on time delays between security checks and performed operations.
The Open Web Application Security Project (aka "OWASP") is a great place to start for more information on web application security. The OWASP Top 10 list should be required reading for new and experienced security professionals alike.
Veracode's security engineers stay current on the latest attack methodologies and vulnerabilities. It must be understood that an application that was tested and found "secure" only maintains that status for that moment in time. Even if the application has no changes itself, the environment in which it runs is always changing and shifting. The application can become vulnerable simply because a new attack surfaces that was unknown at the time of the original analysis. This is why PortalGuard utilizes Veracode on a regular basis. We are wrapping up the latest round of static and manual penetration testing this month which resulted in PortalGuard version 18.104.22.168 obtaining Veracode's "Verified" designation.
The cost of manual penetration testing is high but the security of a product like PortalGuard is of paramount importance to all who depend on it. Having other sets of discerning eyes help make it as secure as possible is always money well spent.