How to Perform Threat Modeling & Security Analysis in 5 Steps
Cybersecurity attacks are becoming more prominent for businesses around the world. With evolving attacks, about 68% of business leaders feel their cybersecurity risks are growing.
The need for security testing can no longer be overlooked.
While some companies rely on a handful of automated security testing tools and processes to maintain security compliance, others leverage both automated testing as well as manual security testing to ensure their software is thoroughly tested and secure.
There are many ways to do security testing manually to test the security posture of your application. Before we dive into them, let’s take a closer look at why you should do security testing manually.
Why Should You Do Security Testing Manually?
Even with rapid improvements in automation technology, there are still many elements that need human attention to verify or to accurately determine potential web security vulnerabilities in an application.
Some potential vulnerabilities such as business logic issues or cryptographic issues, require a human to verify the vulnerability.
That’s why you need to do security testing manually.
Manual security testers often use a combination of handpicked security testing software and tools that are best suited to evaluate their application. These may include customized scripts and automated scanning tools.
Advanced techniques to do security testing manually involve precise test cases such as checking user controls, evaluating the encryption capabilities, and thorough analysis to discover the nested vulnerabilities within an application.
Doing security testing manually doesn’t imply that you can not use automation. Rather, security experts can leverage automation technology to find patterns or other clues that might uncover important information about the application’s vulnerabilities.
The primary goal of manual security testing is to discover weaknesses and potential vulnerabilities in an application that might not be understood or revealed completely by automated security testing alone.
Regardless of the number of automated testing software and tools one might use, it is critical to manually analyze software behavior to ensure its integrity, confidentiality, and availability principles are not being violated.
Techniques to Help You Do Security Testing Manually
You can do security testing manually when any weakness in the application security needs a real, human judgment call. There is an array of manual security testing techniques that can help you assess your applications and systems to ensure they are secure.
Here are some of the most effective and efficient ways on how to do security testing manually:
1. Monitor Access Control Management
Be it a web application or a computer, access control is a critical aspect that helps protect your application security or system from being exploited by attackers or insider threats.
Access control management can be categorized into two parts:
- Authentication – Who are you?
- Authorization – What can you do and what information do you have access to?
For instance, an employee should only have access to information that is required to perform his/her job.
By implementing access control, you can ensure that only authorized users can access data or a system.
In order to manually test this, the tester should create several user accounts with different roles.
Then the tester should attempt to access applications or systems by using these accounts and verify that every user account has access only to its own forms, screens, accounts, menus, and modules. The tester can then test requests made by one user/role in the session of a different user/role.
If the tester is able to login to an application with a disabled account, he/she can document the application security issue.
A user with restricted or lower access privileges should not be able to gain access to sensitive information or high privilege data.
You should also manually test for password quality rules, default logins, password recovery, password changes, web security question/answer, logout functionality, etc.
Similarly, authorization tests should also include a test for horizontal access control problems, missing authorization, path reversal, etc.
2. Dynamic Analysis (Penetration Testing)
Penetration testing, or a pen test, is a software testing technique that uses controlled cyber-attacks to target a running system to determine vulnerabilities that could be exploited by attackers.
Manual penetration testing of a running system consists of the following steps:
- Data Collection – The first step of conducting manual penetration testing is collecting data such as table names, databases, information about third-party plugins, software configurations, etc. It can either be done manually or by using testing tools (such as webpage source code analysis) that are freely available online.
- Vulnerability Assessment – Once the data is collected, the software penetration testing team evaluates it to determine security risks or vulnerabilities that could put the system at risk of a security attack.
- Launch Simulated Attacks – The penetration testing team launches controlled attacks on the target system to explore more vulnerabilities and understand how they can prevent attacks.
- Report Preparation – After the system has been targeted and assessed completely for potential vulnerabilities, the software testing team creates a report that outlines the discoveries of the test, and the measures required to protect the system.
This is the process you need to follow when you want to do penetration testing manually to enhance the security of a system.
3. Static Analysis (Static Code Analysis)
Another popular method of manual security testing is static code analysis. It is usually performed as a part of white-box testing, also known as a Code Review, and carried out to highlight potential vulnerabilities within the “static” (non-running) source code.
Static code analysis uses techniques such as data flow analysis and taint analysis to determine vulnerabilities associated with a system.
It is conducted by manual testers who understand the operating environment the application is running in and the users that use the application. These testers know the overall purpose of the application as well as the purpose of individual functions.
They apply this knowledge to static analysis tools that examine the source code, documentation, and even the executables, to find vulnerabilities without actually running the code.
Static analysis tools vary greatly in purpose and scope, ranging from code styling enforcement to compiler-level checks for logical errors and much more.
Put simply, static code analysis helps you maintain secure code without having to actually run the code.
4. Check Server Access Controls
Web applications have multiple user access points that provide enough access to fulfill users’ requests, but they must maintain security to avoid data breaches or attacks.
How can testers check server access controls?
Testers should ensure that all intra-network and inter-network access points to the application are by expected machines (IPs), applications, and users and that all access is strictly controlled.
To verify if an open access point is sufficiently restricted, the tester should try to access these points from various machines having both untrusted and trusted IP addresses.
Additionally, a variety of real-time transactions should be performed in bulk to check the application’s performance under load conditions.
While doing security testing manually, the tester should also check if the open access points in the application allow specific actions by the users in a secure way.
For instance, the tester may upload a file exceeding the maximum permitted file size, try to upload a restricted file type, or download data from a restricted site to check if the application is allowing such actions.
The goal of checking server access controls is to ensure that while users are able to use the application, the application is secure from potential attacks.
Security Authentication vs. Authorization: What You Need to Know
5. Ingress/Egress/Entry Points
Testers often check ingress and egress network points to ensure that no unauthorized networks can send traffic or information to the host network and vice-versa.
What are ingress and egress points?
Ingress traffic consists of all the network traffic and data communications originating from external networks that are directed towards a node in the host network. On the other hand, egress traffic consists of all traffic originating from within the network and targeted towards an external network.
These entry points in a network can be easily checked via manual security testing methods such as trying to send data from a restricted network to the host network and check if it is allowing the traffic and accepting data.
A tester may even send sensitive data or confidential information from the host network to an authorized external network to check if the egress points are secured.
Ingress and egress filtering allows networks to interact with one another while maintaining security standards and restricting the sharing of sensitive data to unauthorized networks.
6. Session Management
When you do security testing manually, you should perform session management tests to check if the application is handling sessions properly.
To ensure that your application has proper session management, check the session expiration after a particular idle time, session termination after login and log out, session termination after maximum lifetime, check for session duration and session cookie scope, etc.
7. Password Management
One of the most productive security testing techniques that you can use while doing testing manually is password management. This refers to the various methods used to discover passwords and access user accounts or systems.
How can you test password management?
If the web application or system does not enforce stringent password policies, (for example, with numerics, special characters, or passphrases), it may be quite easy to brute force passwords and access the account.
Additionally, passwords that are not stored in an encrypted format are more vulnerable to being stolen and used directly. Attackers may use different methods to steal the information stored in the database such as SQL Injection.
Even if passwords are stored in a hashed format, once they are retrieved, they can be cracked using password cracking tools such as Brutus, RainbowCrack, or by manually guessing username/password combinations.
8. Brute-Force Attacks
Another way on how to do security testing manually is by using brute-force attacks.
Brute-force attacks rely on guessing different combinations of a targeted password until the correct password is discovered.
Attackers use brute-force attacks to gain access to sensitive information such as personal identification numbers, passphrases, passwords, or usernames to carry out identity theft, redirect domains to sites with malicious content, or other malicious activities.
This method is also widely used by application security testers to test application security, and more specifically, evaluate the strength of the application’s encryption.
For instance, a tester should attempt to login to accounts with invalid passwords, and ideally, the system should block the user after a limited number of failed multiple login attempts.
Moreover, if the login attempts are made from an unknown device or suspicious network, the application should ask for multiple-factor authentication which might consist of one-time passwords sent to the verified email address or contact number of the user, or a security question set by the user.
9. SQL Injection (SQLi)
SQL Injection is a code injection technique used to inject malicious SQL statements into an application to modify or extract data stored in databases.
It is one of the most dangerous, frequent, and oldest web application vulnerabilities. It can affect any web application that uses SQL databases such as Oracle, SQL Server, MySQL, or others.
How can you prevent SQL Injection attacks?
Manual testers check the SQL injection entry points to identify if it can be exploited by a SQL injection attack. They identify and test the database code in which direct MySQL queries are performed on the database by accepting certain user inputs.
For instance, the application should be able to accept a single quote (‘) in an input field. But if the application throws a database error to the tester, it means that the user input has been inserted in some query to the database and it has been executed.
The SQL query error message shown on the browser may lead the attacker to crash the entire application or help them to extract data like usernames, passwords, credit card numbers, etc.
10. Cross-Site Scripting (XSS)
In addition to SQL Injection attacks, testers also check the web application for Cross-Site Scripting (i.e XSS) in manual security testing. It is a client-side injection attack where the attacker aims to execute malicious scripts in the victim’s browser.
These malicious scripts can perform a variety of functions such as send the victim’s login credentials or session token to the attacker, log their keystrokes, or perform arbitrary actions on behalf of the victim.
During manual testing, testers must ensure that the input fields do not trust unvalidated user input, and must properly encode the output of these fields if they are included in a server response.
Moreover, the primary way to protect your application from XSS injection attack is by applying proper input and output encoding.
11. URL Manipulation
URL manipulation is another technique through which attackers exploit applications. It is the process of modifying the parameters of a Uniform Resource Locator (URL) for malicious purposes by an attacker.
How can you protect your application from URL manipulation?
Manual testers should verify whether or not the application allows sensitive information in the query string. These types of attacks occur when the application uses the HTTP GET method to transfer information between the server and the client.
When a URL-based input is given to an application, it passes this information through the parameters in the query string. The tester may change a parameter value in the query string to verify whether the server accepts that value.
User information is passed through HTTP GET requests to the server to fetch data or make requests. If the tester is able to manipulate input variables passed through this GET request to the server, they can get access to unauthorized information.
12. Specify High-Risk Functions
Businesses deal with a lot of data on an everyday basis. There are thousands of business functionalities that require file upload/download, giving user access privilege to employees, sharing data with third-party contractors, and many other activities that may have potential vulnerabilities.
You need to identify high-risk functions to ensure that better security measures are implemented for particular activities such as restricting unwanted or malicious file uploads/downloads.
If your application deals with any sensitive data, you should manually check the application for injection vulnerabilities, password guessing, buffer overflows, insecure cryptographic storage, etc.
Use These Ways to Do Security Testing Manually
While automated security testing has ample benefits, it is not enough to ensure that an application is completely secure.
Businesses must conduct manual security tests to ensure that there are no potential weaknesses or vulnerabilities in an application that could be exploited by an attacker.
By conducting proper security tests manually, companies can detect business flaws and injection vulnerabilities that might not be clearly evident from automated security tests.
Ready to get started? You can use the effective manual security testing techniques above while doing security testing manually.
How to Improve Your DevOps Test Automation Strategy