From today we have decided to do an interview of testing experts over the globe. To kick off this article we are interviewing a testing expert “Onur Yilmaz”. He is one of the first Netsparker employees and wears many hats at Netsparker. He heads the Netsparker QA and security research teams where he ensures every release is as good as it gets and researches new vulnerabilities.
Question 1) Why should web applications be tested?
Answer: Internal and external websites are an important part of the corporate structure. Unfortunately though we always see these websites getting attacked, hacked, and personal or customer information is exfiltrated. Such cases are becoming more frequent and critical day by day.
This is happening because the majority of these web applications are vulnerable. They are vulnerable because even though there is a lot of awareness, security is still an afterthought.
Question 2) What are the most important things to keep in mind when you are testing web application for security flaws?
There are many aspects of security testing we can talk about, but I think the most important is to understand and configure the tools you are using correctly. For example if you are scanning a live application with a web vulnerability scanner, the automated tests will be attacking all the pages and inputs on your website. Therefore if you simply launch a scan blindly, your web application can be damaged and even become unresponsive. Similar to knives and guns, web application security tools are very powerful and if used incorrectly can lead to unwanted results. Hence you should always get yourself familiar with all the tools and process you are using, and when possible use test environments.
Question 3) Are there any particular procedures / tests that every QA department should do when testing web applications?
When we look at security as a process rather than as a result, there are things that every department should do and not just expecting QA to find all the problems. Security should start from the design of the application; the architect should design the application using a safe architecture, keeping security in mind. Developers should follow secure software development practices and the web application should be tested again from the QA for security flaws before it is published in a live environment. And that’s not enough. Security tests should be performed each time there is a change in the live environment.
Question 4) Based on your experience tell me the pros and cons of using remote vs. in-house security testing?
The purpose of web application security tests is to simulate the attacks that come from the attackers, and detect the vulnerabilities before they do, and fix them. Even though not always, when using a third party to perform remote security testing, because of the lack of knowledge they have on the web application they might not be able to do a proper test. On the other hand, if you use an inside team who is knowledge about the production platform, the web server setup and its database server, the team can do a much more thorough test. Having said that, having a mix of both in-house and remote security testing is the best possible solution.
Question 5) What is SQL injection and to understand our readers share us how big exactly the problem is?
SQL Injection is one of the most critical web application vulnerabilities. Even though today we have the popularization of database layers such as ORM (Object Relational Mapping) and frameworks, which should help in reducing SQL Injection vulnerabilities, it can still be found everywhere!
The impacts of SQL Injection can be many, and they also depend on the privileges the database user the web application is using has. Though the impacts can vary from taking over the database to getting full access to the server. So it is a pretty scary vulnerability and developers should start thinking of it while writing code. If you’re a developer I’d recommend you to check out the SQL Injection Cheat Sheet which can help you understand the different variants of the vulnerability, thus you can write more secure code.
Question 6) What is Cross-Site Scripting (XSS). What is the real danger and the potential impact of XSS issues?
Cross-site Scripting is a type of web application vulnerability that allows attackers to inject malicious client-side scripts on websites, that when viewed by other users they get executed.
The impact of an exploited XSS vulnerability varies a lot as well. It ranges from Session Hijacking to the disclosure of sensitive data, CSRF attacks and much more. By exploiting a cross-site scripting vulnerability an attacker can impersonate the victim and take over the account. If the victim has administrative rights it might even lead to code execution on the server, depending on the application and the privileges of the account. I’d recommend you to read the apache.org & Jira XSS incident for a real life example of how an XSS vulnerability was used in a successful attack which also led to code execution.
Question 7) What are the most significant challenges related to effective Web application scanning?
The biggest challenges are the tools themselves. Security in general is a difficult subject, and the tools tend to be quite complex, thus developers shy away from them. Security should not be so. At Netsparker we have been focusing on making our web application security scanner easy to use, and to automate as much as possible. So by having an easy to use tool and by automating as much as we can, for example automatically verifying the identified web vulnerabilities, users can have more effective web application security scanning programmes.
Question 8) Based on your experience, what are the most significant issues surrounding current testing methodologies in the security industry?
As a continuation to my previous answer, if we want developers to write more secure code we need to give them the right tools. By right tools I mean easy to use tools. It beats the purpose of automation to have a complex software. Why does a developer or tester need to spend hours trying to figure out how the software works? Why does the user have to manually verify the results of the scanner to check for false positives?
There is already a lot of awareness on web application security, and there will never be enough. But unless we start developing easy to use solutions, solutions that can be used by everyone and not just by the specialists, thus making them unaffordable, we will continue seeing vulnerable web applications.
Thanks Onur Yilmaz for taking your time and answering my questions. It is really interesting to hear you. I hope all of you enjoyed the interview as much as I did.