Tag Archives: security

Testing cyberspace threats

Posted on by
330

This post was originaly posted by me on blog.sogeti.com

At the time of writing, a two-day international conference is underway in London UK, focused on the threat from cyber-security attacks. It’s true that cyber-security is a threat to the whole online community. We’ve seen a lot of hacks from groups like Anonymous Hackers. These hacks can be used for malevolent purposes, but also maybe for good – like in this video:

The Anonymous Hacker Group threatens Mexico’s Zetas Drug Cartel to release information on their members. I don’t agree on the things Anonymous does, but I certainly don’t agree with drug cartels. But let’s think of this. The drug cartel is holding an Anonymous member hostage and as a response Anonymous threatens to release personal data on the Zetas Drug Cartel. The result will be that the identity of the cartel members will be made public, so everybody will know who they are. It seems it’ll solve a problem that intelligence agencies cannot solve.

But there’s maybe one question. Who checks the data? Anonymous? What if the data is incorrect? Innocent people will be associated with the drug cartel. And what if an Anonymous member has a grudge against someone like you or me?

But hacker groups like these are not the main threat for most companies. Hacker groups can help companies by showing them the flaws in their systems – and when these companies don’t listen, the hackers try and break in – to prove the point. The bigger problems are the sub groups surrounding these hacker groups. Intelligence is often shared with these groups who have a different (and less well meaning) motivation. They try and break into systems whether on your mobile, your tablet, your laptop, your server or even your data centre. Their objective is to make life miserable for you because they just want to have fun.

In my personal opinion, it’s almost impossible to defend against a group like Anonymous Hackers; if they want to break in, they can and they will. This is the same for your house or office. If a real burglar wants to break in, he/she will. But there are also ‘wannabe’ burglars and ‘wannabe’ hackers. They know only a little but they use this knowledge for their own advantage. But you can keep these ‘wannabes’ out – out of you home/office and out of your systems. But how?

Well there are many ways to keep them out, but before you keep them out, you need to know what to protect. Just a lock on the door isn’t enough. That’s why you need to know how secure your application is. Or how safe it should be. Security should be an essential part of the quality of a business process and should therefore be part of all applications developed. So you need to have insight in the security of applications, and this can be done by testing the security.

In the development and maintenance of applications, security should be an essential part of requirements, design and development. And to demonstrate that applications are safe, security should be tested for. Why?

  • Users expect good quality and have the confidence that the application is safe. When no insight into the security risks exists it’s not possible to tell this to the users.
  • From legislation and rules like Privacy Acts, PCI-DSS, SAS70 or SOx, it’s a requirement that security is in order. The proof for this can be found by executing tests.
  • Sometimes it’s necessary to demonstrate that the application is sufficiently safe for various forms of damage. No one wants negative publicity or be confronted with all kinds of claims. Testing shows the status of safety.

Note: Testing provides insight into the quality, but doesn’t improve the application. When bottlenecks are found they are identified and improvements made.

Testing for security risks encompasses many types of tests or reviews including these options:

  • A ‘spotlight security scan’ provides a limited indication of the security of an application. This is a one-or two-day scan on the most critical part of the application, which provides good advice on further steps in application security, particularly to follow-up on any issues uncovered;
  • ‘Functional security testing’ has a strong focus on what the application should not do, and looks at how it might be misused;
  • A ‘code review’, a static security test that looks at the source code. It can be highly effective because it’s done early in the development process, when the application has not been completed (this is the same with Static Analysis). The code review scans the code to show security weaknesses and when done early in the process, creates awareness among the whole project team and stakeholders which can lead to early improvements and major savings for the remainder of the project.
  • A full ‘security assessment’ or penetration testing is a thorough investigation that provides insight into the safety of the application., but also the network activity and the infrastructure.

By gaining more insight into application weaknesses it’s possible to keep the ‘wannabee’ out and create a safer application.

Security: Bubble or a bust?

Posted on by
128

This post was originaly posted by me on blog.sogeti.com

The last few months I’ve been giving a lot of talks around Clouds and Testing.  I’ve even published an ebook about it in June – TMap NEXT®Testing Clouds. But the one question that comes up time and time again is “What about security?” And I almost always answer like this: “That’s a very good question! Security of the cloud can be an issue because you are sharing resources from the cloud provider. But can I ask you why this is of such an importance to you? How good is the security of your current application landscape?”

Most of the time there is no answer! Why? Because they really don’t know. Security is something that’s not ‘sexy’, and yet it should be of far greater importance – as all the security hacks of the last months have shown us. Hackers have hacked into a lot of websites, and the best known group is Anomymous. And the hacks that have been executed have been bold, the most famous being the ‘Sony PlayStation Hack’ in April this year.

Security should be an essential part of application development – from requirements, the design and through to realization. It’s possible to implement application safety in every stage of the application lifecycle. A proactive approach to application security is to introduce it as early as possible in the Software Development Lifecycle. An holistic approach ensures that an organization is compliant with the prescribed regulations, has control over application security, and has covered the necessary risks (as cheaply as possible).

What is more, to demonstrate that the applications are safe – they should be tested! Reasons for these tests are:

  • Users of applications expect good quality and confidence that the application is safe. Currently this aspect of testing is not normally integrated into standard testing, and therefore there’s a lack insight into this;
  • National and cross-border legislation such as ‘Personal Data Protection Act’, PCI DSS, SAS70 or SOX, mean that there’s a requirement to have application security in order. Proving this and its control can be done by carrying out tests and assessments;
  • It’s necessary to demonstrate that the application is sufficiently safe to counter various types of damage. No one wants negative publicity or be confronted with all sorts of claims. Testing shows the status of the security.

NB: One further aspect of security. A lot of organizations call themselves ‘SAS 70 certified’. That cannot be true! SAS 70 is an audit using quite a few evaluation criteria. SAS 70 is not a pre-determined set of standards that a service organization must meet to ‘pass’! When you look at the SAS no. 70 FAQ website, there is answer to the ‘success’ or ‘no success’ criteria. When the service auditor concludes that the above items have been accomplished, the service auditor renders what is referred to as an “unqualified opinion.” While a SAS 70 audit is technically not a ‘pass’ or ‘fail’ audit, the receipt of an “unqualified opinion” from the service auditor is often referred to as ‘passing’ the audit.

So the service auditor’s report contains the audit opinion, the organization’s description of controls, and a description of the auditor’s tests of operating effectiveness. It doesn’t set (nor is there any) SAS 70 certification!

ERP Clouds

Posted on by
10

Cloud is the new hype in IT and I think it has the best potential to be the next evolution in IT; creating IT as a commodity. Moving the IT more to the needs of the business. How do you think to move ERP into the cloud? Is it possible?

I’ve been seeing a lot of applications becoming either cloud-based or moving to a cloud infrastructure. But I haven’t seen a lot about ERP software in the cloud. How is this evolving? For me, but I’m no ERP expert, the cloud and ERP are natural matches. Why?

Well, because ERP software is believed to be standard software. This software can be tweaked with parameters to comply with the wishes of the client in sing this software. But basically it’s standard software. Most ERP solutions also thrive on good infrastructure, they’re bulky and require a lot of resources.

These two concepts of ERP make it ideal to move to a cloud environment. Clouds thrive on standardisation and help in moving software in the cloud. As they also require a lot of resources on their infrastructure, this makes them double ideal for the cloud.

As a good excuses is the type of data in ERP software. It’s often very important and, for an organisation’s, personal data needs to be highly secure. And as once in gives more opportunity to make use of this .

Off course we need to test this more thoroughly. We need to test it’s working like this. So checking on security is a great benefit to the client.

But how do you think of testing, ERP and clouds? What’s your experience? Please let us know…