Onegini Updates

Top 8 Areas to Address When Testing App Security

Posted on December 2, 2015 by Vladimir Ghilien

 

Top_8_Areas_to_Address_When_Testing_App_Security-1.jpg

World Wide Web has created infinite opportunities for users by allowing organizations to carry on with their business and share their data globally. Most often, this data is critical and can’t be compromised. Thus, it has as well raised new matters security. Today, Internet puts valuable data, mission critical business apps, and private consumer data to greater risk, than ever before. The management personnel, QA, and developers as well carry a crucial role in making apps, networks, and all other things related more secure.


Whether a mobile app or a web app, security testing is necessary in order to produce risk free and secure software. There are a lot of various tools available on the market that can help make secure apps and other software products, such as Onegini. There’s much more to skill-set and mind-set both goals. Users that settle with tools only will continue running just tools, but hackers that attack applications have particular ideas, which helps them go round these tools. Therefore, previous experience combined with a mind-set to identify future security holes help in supplying impeccable apps in terms of security.

Below are several essential areas that should inevitably be addressed in order to make a secure application.

 

Onegini Mobile Security Platform Brochure download button

Authentication

This one is the very first entry point to the app. Check if the password’s been changed; the user shouldn’t be capable of logging in using their old password. In case the user isn’t introducing the correct password a few times, their account gets locked. Make sure password regulations are incorporated on all authentication pages, including Registration, ‘change password,’ and ‘forgot password.’ Also, don’t forget verifying the app for Brute Force Attacks.

Encryption

Sensitive data, including account numbers, credit card numbers, password, etc. should show in encrypted format. Encryption should also include storing of the cookie data. Any transmission of data over the net should obviously be secured. And, yes, HTTPS has to be secured as well.

Session Management

Make certain that in case the user logs out of the system or user session expires, they aren’t able to navigate the website. Be sure to encrypt the session values in the address bar. The user should be prohibited from directly accessing the unsecured and secured web pages without being logged in.

Handling of Errors

In case any functionality isn’t working, the system shouldn’t show any exceptions or errors from any database, server, or app information. This is since app errors often contain data that is not intended for the user, not to mention the hacker. On the contrary, it should show the custom error page. Appropriate handling of errors is thus critical. Inappropriate execution of this task results in Denial of Service attacks and compromising of system level sensitive data.

SQL Injections

This is one of the ways to acquire the important data from databases. Hackers may execute malicious SQL statements on databases to extract, change, and remove records from them. In addition, hackers are capable of bypassing the authentication via SQL statements injection into the password input field during the log in process. SQL injection may as well be executed by manipulating the URL that contains the SQL query input. SQL injections are commonly meant for producing database errors that reveal its sensitive data. This is where error handling comes in the picture.

Mobile apps must have the minimal necessary privileges in order to have access to the database. They shouldn’t build SQL statements directly based on the user input. At first, the input has to be validated.

Cross Site Scripting

Cross Site Scripting, or XSS, enables hackers to insert client side scripts into Internet pages. In case the user input isn’t properly validated, these scripts are to be executed, putting the security at risk. These scripts are able to gain access to another user’s cookies and it even includes the admin user, and these cookies can be used by the hacker to pose as other users.

For example, if you introduce <script type=‘text/javascript’>alert(‘xss’);</script> into the search box, it should look for the keywords and not execute the alert notice. The latter can be substituted by any URL that will download malicious scripts on users’ gadgets. Therefore, appropriate validation of the user inputs can’t be underestimated.

Coding Troubles

You must make sure the “View Source Code” feature is disabled and the user can’t see it. Verify user roles and their rights. For instance, the issuer shouldn’t be capable of accessing the admin page.

Buffer Overflow

In programming and computer security, a buffer overflow is an incompatibility where a program overruns boundary of the buffer during data writing to a buffer and overwrites neighboring memory areas. This is a special case of memory safety violation.

Opponents may initiate buffer overflow by supplying inputs that are meant to execute particular code, or alter the program’s behavior patterns. This can lead to unreliable program behavior, including incorrect results, system security breach, a crash, or memory access errors. Therefore, buffer overflows are foundation of most software security holes and, thus, can be exploited in a malicious way.

The source code has to be reviewed and analyzed before code compilation. There are various tools available for this task’s accomplishment. Also, the code may be tested after its compilation. There are also many different tools available that look for security holes in the low-level assembly code. The use fuzzing techniques, as well – they test software by inputting large amounts of random data and waiting for any possible errors.


Over the past few years, things have changed. Hackers don’t attack organizations for ego or pride anymore, but they do it for profit. SSL, Firewalls, etc. don’t mean a thing, if your app lacks security. Thus, don’t trust everything your browser offers you. These days, you have to be on good terms with mobile developers and create a secure application.

Onegini is one of the frontline app development platforms that provides all the security features necessary for safe functioning and use in the current hostile mobile environment, so make sure to visit Onegini.com and check our latest offers.

 


 

Topics: Security