All Archives - Bistec Global Services - Services enabled, digitally!

Blog Category: All

How to Tackle Security Testing Challenges

June 26, 2023

Overview

Cybersecurity ventures stated that cybercrime is expected to grow by 15% every year. They predicted that those crimes might cost $10.5 trillion annually on a global scale by the year 2025. Security testing plays a vital role in preventing most of these crimes. 

 In this article, let’s look at five security testing challenges and how to tackle them. 

Challenge 1: Focusing on security requirements in the requirements phase

Generally, security requirements are not given equal importance as functional requirements. Sometimes security requirements are considered post-developing certain modules and, in some cases, it is before pre-release. Not defining the security requirements prior makes security testing difficult. 

Solution: 

  • Ask, clarify, and document security-related requirement questions for each story/feature in the requirement-defining phase of SDLC. 
  • Document security requirements before the design phase 
  • Identify, analyze, and prioritize security risk and mitigation plans. 
  • Motivate team members to have an agile mindset toward security testing.  

Challenge 2: Writing test cases for security testing and updating them regularly

Functional test cases are typically given a high level of importance. Even though we write positive and negative cases, it doesn’t have quality test data to cover security use and misuse cases. Sometimes test cases are written before security testing starts. In some cases, security testing is done ad hoc without writing any test cases.  

Delaying the test case writing reduces the efficiency and effectiveness of security testing. Since we follow agile methodology, updating the test case based on the new or modified requirements is essential. 

 Solution: 

  • Write test cases with proper test data to cover security use and misuse cases before development. 
  • Review security test cases with business analysts and developers. 
  • Make test case writing and updating a mandatory practice. 
  • Update test cases and test data to avoid pesticide paradox. 
  • Prioritize and test against the test case    

Challenge 3: Including API Security

API security is as important as front-end security. Most of the attacks that happened through security testing at the API level, remained unnoticed unless we were given access to the database. Also, APIs might have some sensitive data exposed to unauthorized users.  

APIs are developed early. Therefore, API security testing ensures the basic security requirements are met. 

Solution: 

  • Define security requirements and write test cases needed for API security testing 
  • Identify and update the test case on a regular basis. 
  • Automate API security testing. 
  • Start API security testing early, raise bugs, and track them. 

Challenge 4: Security Testing Skillset

This is the biggest challenge. We decided to implement security testing and started self-learning. But there were only a few resources online. Security testing is vast, and we weren’t sure about the proper methods.  

Outsourcing might seem a good option but handing the security testing solely to an external team is not preferable. It would be time-consuming, and we might miss some critical security bugs.  

An internal team can perform effective preliminary testing as they are aware of the sensitive data to be protected, source code, and requirements. 

Solution: 

  • Self-Learning security testing from freely available sources. 
  • Following a proper security testing course from experts in the security domain 
  • Conduct internal KT sessions on security testing 

Challenge 5: Selection of tools

There are various tools available for security testing. The skillset of the tester and the budget determine the selection of tools. Initially, I was using OWASP ZAP. Then I started using Burp Suite on a tech lead’s suggestion.  

ZAP is best for API security testing. It is more convenient to get and view all APIs in a site tree using ZAP. Burp Suite is the most preferred tool by most web security testers. Burp Suite’s intercepting proxy lets us view and modify requests/responses conveniently and shows how UI responds to them. 

Solution: 

  • Each tool has its advantage, the best is not to stick to one tool 
  • Identify static and dynamic testing tools that best suit your project/product. 
  • Improve the skillset of developers and testers on those tools 

Conclusion 

Due to time constraints, when a secure software development cycle isn’t practised, it is only possible to do ad hoc testing for security. Since the security requirements are not defined, and the sensitivity of the data is not recorded anywhere, it is tough to conclude a security bug. So, the confidence in security test coverage is low. This could lead to an unpredictable release.  

We could easily achieve the basic level of security of an application in a new project if we follow the above solutions. In an ongoing project/product, it is partially feasible to implement the BDD method of agile security testing.  

Defining security requirements early would avoid conflicts and confusion in the later phases and minimizes security-related bugs. It improves the accountability of the internal team on the security of the application, thereby resulting in a predictable release with minimum cost, stress, and risk. 

Authored by Shamphavi Shanmugasundram @ BISTEC Global

CIA Triad of Security – Why does it matter?

November 23, 2022

The CIA triad is a high-level checklist to evaluate security procedures. It is a vital model used to assess the risks, threats, and vulnerabilities of the system.

The CIA triad, also known as the AIC triad, is a benchmark model to assess Information Security. It guides security professionals in protecting any asset that is valuable for running a business.   

Security testing should start from the requirement phase in the Software development lifecycle, and it should be integrated into every phase in SDLC.

CIA triad is helpful in identifying the information to be protected and in defining security requirements needed for an application.

CIA Triad stands for Confidentiality, Integrity, and Availability.

CIA Triad

1. Confidentiality

Confidentiality ensures that the system or data is exposed to the right users. This could be ensured by having the following four security measures in an application. They are Identification, Authentication, Authorization, and Encryption.

The confidentiality of an application is assessed by knowing whether the sensitive information in a system is disclosed to unauthorized users. The sensitivity of data is a measure of its importance. The owner of the data decides the sensitivity measure of the data.

2. Integrity

Integrity ensures that the data is reliable. The system or data should be accurate, complete, and consistent.

The integrity of the data could be ensured by having proper security measures in our system. Some of them are Hashing, User access controls, Version control, Backup and recovery procedures, Error checking, and Data validation.

The integrity of the data is measured using a factor called the baseline. The baseline is the measure of the current state of the data. The goal of integrity is to preserve the baseline throughout the transaction.

3. Availability

The data or system should be available to the users when and wherever it’s needed. The availability of the application could be ensured by using Hardware maintenance, Software patching/upgrading, Load balancing, and Fault tolerance.

Appropriate levels of availability should be provided based on the criticality of the data. Criticality is the measure of the dependency of a system on data to perform its operation.

Conclusion

CIA triad helps in understanding and prioritizing the severity of a vulnerability in an application. Neglecting the CIA triad makes the application vulnerable to Interruption, Interception, Modification, or Fabrication class of attack.

CIA serves as a yardstick to evaluate the security of an application. If CIA triad standards were met, then the security of that system would be stronger and better equipped to handle threats.

Is CIA Triad enough for Information Security? – No, but it covers most of the security loopholes in an application.

Authored by Shamphavi Shanmugasundram @ BISTEC Global

Real-Time Power BI Dashboard Using Azure Event Hub & Azure Stream Analytics

August 10, 2022

This article explains how to develop a real-time data integration using Azure resources and a python program. Using Azure event hub & Azure stream analytics, we are going to retrieve real-time stock details to the Power BI dashboard.

Prerequisites

  • An active Azure Subscription
  • An Azure IoT hub in your Subscription
  • Power BI Account
  • Visual Studio Code for Python Program

Create & Configure Azure Resources

1. Create a Resource Group

Sign in to the Azure portal and navigate to your resource group section. Then create a resource group under your subscription.

Create Resource Group

 2. Create an Event Hub Namespace & Event Hub

Search Azure Event Hub in the marketplace and create an event hub namespace.

Create an Azure Event Hub Namespace

Now create an event hub under the event hub namespace and also you can configure partition count as well.

Create an Azure Event Hub

To communicate event hubs with the python program, we have to create an access policy under the event hubs namespace. Go to Shared access policies in the left side panel.

Then create a shared access policy with the “Manage” option and save.

Shared Access Policy

3. Create an Azure Stream Analytics

Search Azure Streaming Analytics in the marketplace and create. And remember to select the same geographical location as an Azure event hub namespace. Using stream analytics, you will be able to access data sent through the Azure event hub.

Configure Stream Analytics Job

After Creating a streaming analytics job, we have to configure the input for the stream analytics job. Go to the input section under the job topology and set up the event hub configuration.

Setup Event Hub Input

Develop Python a program to retrieve stock information

Using the Python program, we are going to retrieve stock information and send that information to azure using an azure event hub configured in our azure account.

Import the below libraries to develop a python program

from dis import findlinestarts
import pandas as pd
import json
from yahoo_fin import stock_info as si
from azure.eventhub.aio import EventHubProducerClient
from azure.eventhub import EventData
from azure.eventhub.exceptions import EventHubError
import asyncio
from datetime import datetime

import warnings
warnings.filterwarnings("ignore", category=FutureWarning)
warnings.filterwarnings("ignore", category=DeprecationWarning)

Python program to send stock information to an azure event hub

1. Function to retrieve stock information

con_string = 'Event Hub Connection String'
eventhub_name = 'Event Hub Name'

def get_stock_data(stockName):
stock_pull = si.get_quote_data(stockName)

stock_df = pd.DataFrame([stock_pull],columns=stock_pull.keys())[['regularMarketTime','regularMarketPrice','marketCap','exchange','averageAnalystRating']]

stock_df['regularMarketTime'] = datetime.fromtimestamp(stock_df['regularMarketTime'])

stock_df['regularMarketTime'] =  stock_df['regularMarketTime'].astype(str)

stock_df[['AnalystRating','AnalystBuySell']] = stock_df['averageAnalystRating'].str.split(' - ',1,expand=True)

stock_df.drop('averageAnalystRating',axis=1,inplace=True)

stock_df['MarketCapInTrillion'] = stock_df.apply(lambda row: "$" + str(round(row['marketCap']/1000000000000,2)) + 'MM',axis=1)

return stock_df.to_dict('record')

datetime.now()

get_stock_data('AAPL')

2. Function to send stock information to an azure event hub

async def run():

# Create a producer client to send messages to the event hub.
# Specify a connection string to your event hubs namespace and# the event hub name.

while True:

await asyncio.sleep(5)

producer =   EventHubProducerClient.from_connection_string(conn_str=con_string,   eventhub_name=eventhub_name)

async with producer:

# Create a batch.
event_data_batch = await producer.create_batch()

# Add events to the batch.
event_data_batch.add(EventData(json.dumps(get_stock_data('AAPL'))))

# Send the batch of events to the event hub.
await producer.send_batch(event_data_batch)
print('Stock Data Sent To Azure Event Hub')

loop = asyncio.get_event_loop()

try:
  loop.run_until_complete(run())
  loop.run_forever()
except KeyboardInterrupt:
  pass
finally:
  print('Closing Loop Now')
  loop.close()

Once we completed the python program, we can see the python program sending data to an azure event hub. To verify that, go to Azure Stream Analytics Job> Query section.

Azure Event Hub Output Data

Develop Power BI Dashboard Using Real-Time Stock Data

In this section, we are going to develop a Power BI dashboard using real-time data coming through an azure event hub.

To Create a Power BI dashboard, navigate to the output option under “Job Topology” and add the Power BI option as below.

Creating Power BI Output

Then Configure the below information and authorize to create of a Power BI dataset in your workspace

Now go to Power BI workspace and you can see the dataset created using the stream analytics job.

To create a dashboard, Go to the new and select the dashboard option in the menu section, and type the name for your Power BI dashboard.

Create Dashboard Option

Now we can add visuals to the Power BI report and to that, go to the edit section and select the “Add Tile” option.

Add Tiles

Select the “Custom Streaming Data” option and select the dataset we created using Azure Stream Analytics Job.

Add Stream Analytics Data

Now you can add multiple Cards, Line Charts, etc depending on your requirement. There are only a few visuals available for streaming analytics data but we will be able to create a meaningful dashboard using available components.

Authored by Janaka Nawarathna @ BISTEC Global

Accelerated Mobile Pages for Fast Loading Web Pages

April 10, 2022

Are you looking to make fast-loading web pages for your business? 

The faster your page loads, the longer visitors spend time on your website. Here is a new framework that makes the loading time of your web page 10X faster. This amazing technology is AMP or Accelerated Mobile Pages. AMP optimizes a web page’s loading speed time to just a few seconds.   

What is AMP? 

AMP is an open-source HTML framework developed by the AMP Open-Source Project. Google created it as a competitor to Facebook Instant Articles and Apple News. It is optimized for mobile web browsing and designed to help web pages load faster. And AMP pages can be cached by a CDN, such as Microsoft Bing or Cloudflare’s AMP caches, allowing pages to be served speedily. 

Why AMP? 

Usually, mobile pages have problems like slow loading, unresponsive pages and content displaced by ads et cetera. Studies show that, 

  • 75% of mobile pages take 10+ seconds to load. 
  • 53% of mobile site visitors leave after 3+ seconds of loading time 

Maintaining a fast mobile website to overcome these problems on your own often requires large development teams or specialized skill sets.

AMP helps to overcome these issues as a smart solution. It does not require a large development team budget. And to top it off, it is compatible with all modern browsers!

With AMP you can have, 

  • A compelling user experience with near-instantaneous loading and smooth scrolling
  • 2X more mobile ad revenue for sites that load in 2 seconds vs 19 seconds

For developers and publishers, it creates opportunities for distribution on Google, Bing, Twitter, LinkedIn, Pinterest etc.

AMP Structure 

Accelerated Mobile Pages are built of 3 components – AMP HTML, AMP JS, and AMP Cache.

AMP Cache helps with validating AMP pages with fetched cache.  AMP is component-based and is not dependent on any special tooling. All components are with Standard HTML, CSS & JS.

AMP provides a static layout and minimum size stylesheet with inline & size-bound CSS.  

“Hello World” with AMP 

AMP site structure

Authored by Evantha Harshana @ BISTEC Global

 
Let's talk

We love connecting

We are here to help and support you.

If you believe that we can help you or your businesses requirements - do feel free to drop your details here and don’t hesitate to give us a ring.

Connecting with us on LinkedIn works best.

  • Footer Email