Glia veebirakenduse läbistustestimine
Date
2019
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
Abstract
Läbistustestimine on reaalsete veebirünnakute simulatsioon, et hinnata turvaaukudest tulenevaid potensiaalseid riske. Läbistustestimine nõuab testijalt mitmekülgseid professionaalseid oskusi, et manuaalselt kontrollida turvalisuse nõudeid, teostada veebirakenduse lähtekoodi ülevaatamist ning seadistada automatiseeritud teste. Mittetulundusühing OWASP pakub tarkvara turvalisuse hindamiseks mitmeid dokumente. Glia arendatud operaatori veebirakendust testiti kõigi OWASP Top 10 2017 ohtude suhtes. Ohutegurite kontrollimiseks kasutati OWASP ASVS 4.0 teise taseme nõudeid, mõnel puhul ka kohandatud nõudeid. Lisaks manuaalselt tuvastatavatele turvanõuete kontrollile kasutati ka Burp Suite rakenduse erinevaid automatiseeritud tööriistu. Iga tuvastatud turvaaugu puhul hinnati selle riski taset, võttes arvesse ohu leviku tõenäosust ja mõju veebirakendusele. Kõikidele OWASP Top 10 ohtude kohta anti riskide maandamise soovitusi.
Penetration testing is a simulation of real attacks to assess the risks associated with potential security vulnerabilities. Penetration testing requires various levels of expertise to manually verify security requirements, to review web application source code and configure automated tests. Nonprofit organization OWASP provides several documents for software security assessment. Glia’s Operator Application was tested against all OWASP Top 10 2017 threats. For threat verification, OWASP ASVS 4.0 level 2 requirements along with additional customized test cases were checked. In addition to manual security requirement verification, automated Burp Suite tools were used. For each detected vulnerability, risk severity was assessed by taking into account the threat prevalence likelihood and impact. Risk mitigation suggestions were provided to all OWASP Top 10 threats.
Penetration testing is a simulation of real attacks to assess the risks associated with potential security vulnerabilities. Penetration testing requires various levels of expertise to manually verify security requirements, to review web application source code and configure automated tests. Nonprofit organization OWASP provides several documents for software security assessment. Glia’s Operator Application was tested against all OWASP Top 10 2017 threats. For threat verification, OWASP ASVS 4.0 level 2 requirements along with additional customized test cases were checked. In addition to manual security requirement verification, automated Burp Suite tools were used. For each detected vulnerability, risk severity was assessed by taking into account the threat prevalence likelihood and impact. Risk mitigation suggestions were provided to all OWASP Top 10 threats.