1 00:00:00,860 --> 00:00:02,890 In this lesson we're going to focus on 2 00:00:02,890 --> 00:00:05,210 the different testing methods that you may use 3 00:00:05,210 --> 00:00:08,740 to help your organization's developers secure their code. 4 00:00:08,740 --> 00:00:11,600 Most security analysts are not programmers themselves, 5 00:00:11,600 --> 00:00:13,670 so the Security+ exam isn't focused on 6 00:00:13,670 --> 00:00:15,490 the specific types of code reviews 7 00:00:15,490 --> 00:00:17,940 like pair programming, over-the-shoulder reviews, 8 00:00:17,940 --> 00:00:18,940 and others. 9 00:00:18,940 --> 00:00:22,110 Instead, the Security+ exam focuses on just a handful 10 00:00:22,110 --> 00:00:24,800 of testing methods that an entry-level security analyst 11 00:00:24,800 --> 00:00:26,290 might conduct. 12 00:00:26,290 --> 00:00:29,490 The first type of testing is known as system testing. 13 00:00:29,490 --> 00:00:31,380 This comes in three varieties: 14 00:00:31,380 --> 00:00:35,050 black-box testing, white-box testing, and gray-box testing. 15 00:00:35,050 --> 00:00:37,310 Black-box testing occurs when a tester 16 00:00:37,310 --> 00:00:41,000 is not given any information about the system or program 17 00:00:41,000 --> 00:00:42,920 before beginning their test. 18 00:00:42,920 --> 00:00:44,860 For example, if I create a program 19 00:00:44,860 --> 00:00:47,030 and I wanted you to conduct this type of test, 20 00:00:47,030 --> 00:00:48,470 I might simply hand you a copy 21 00:00:48,470 --> 00:00:50,280 of the executable program on a disk 22 00:00:50,280 --> 00:00:52,730 and then it's up to you to figure out how it functions, 23 00:00:52,730 --> 00:00:55,168 how to bypass any security I may have coded into it, 24 00:00:55,168 --> 00:00:57,510 and if you can crash it by entering in 25 00:00:57,510 --> 00:00:59,050 incorrect information. 26 00:00:59,050 --> 00:01:01,160 Essentially, you're going to begin your testing 27 00:01:01,160 --> 00:01:03,250 without any sense of what the program does 28 00:01:03,250 --> 00:01:04,780 or how it functions. 29 00:01:04,780 --> 00:01:07,520 As a tester, you're essentially blind to start with 30 00:01:07,520 --> 00:01:09,760 and you discover your way around the program or system 31 00:01:09,760 --> 00:01:11,540 through your testing. 32 00:01:11,540 --> 00:01:15,060 White-box testing, on the other hand, is the exact opposite. 33 00:01:15,060 --> 00:01:17,850 In white-box testing, the tester is given the details 34 00:01:17,850 --> 00:01:20,200 of the inner workings of the program or system. 35 00:01:20,200 --> 00:01:22,700 This may even include access to the full source code 36 00:01:22,700 --> 00:01:25,330 of that program, diagrams of the system, 37 00:01:25,330 --> 00:01:28,770 user access credentials, logons, and more. 38 00:01:28,770 --> 00:01:31,740 The third type of testing is called gray-box testing. 39 00:01:31,740 --> 00:01:34,334 This is a mixture of black-box and white-box 40 00:01:34,334 --> 00:01:36,790 where the tester is given some amount of information 41 00:01:36,790 --> 00:01:37,750 about the system 42 00:01:37,750 --> 00:01:39,830 and conducts his testing as if he doesn't have 43 00:01:39,830 --> 00:01:41,250 full access to it. 44 00:01:41,250 --> 00:01:43,950 For example, a gray-box tester might be given 45 00:01:43,950 --> 00:01:46,090 user-level credentials to test a system, 46 00:01:46,090 --> 00:01:48,560 but not given administrative credentials. 47 00:01:48,560 --> 00:01:50,270 If you're testing a network system, 48 00:01:50,270 --> 00:01:52,560 you may be given some information like the IP address 49 00:01:52,560 --> 00:01:53,780 of different devices, 50 00:01:53,780 --> 00:01:55,920 but you're not given the version of the software 51 00:01:55,920 --> 00:01:57,950 that's running on each device. 52 00:01:57,950 --> 00:01:59,440 As a part of these system tests, 53 00:01:59,440 --> 00:02:01,480 you're often attempting to break the system 54 00:02:01,480 --> 00:02:04,900 by attempting to stress that system or create an exception. 55 00:02:04,900 --> 00:02:06,110 It's important that programmers 56 00:02:06,110 --> 00:02:08,450 have coded their applications to fail securely, 57 00:02:08,450 --> 00:02:11,050 and to ensure this happens, you're going to purposely create 58 00:02:11,050 --> 00:02:13,430 error conditions to cause an error to occur 59 00:02:13,430 --> 00:02:15,710 and see how the system is going to react to it. 60 00:02:15,710 --> 00:02:17,485 If the program is running when the error occurs, 61 00:02:17,485 --> 00:02:20,230 the error is known as a runtime error. 62 00:02:20,230 --> 00:02:22,950 If the program fails to run because of a coding error, 63 00:02:22,950 --> 00:02:25,160 this is known as a syntax error. 64 00:02:25,160 --> 00:02:26,880 This is because the most common cause 65 00:02:26,880 --> 00:02:28,720 of this type of error in programming 66 00:02:28,720 --> 00:02:31,051 is when a programmer doesn't put the proper syntax 67 00:02:31,051 --> 00:02:33,470 expected by that programming language, 68 00:02:33,470 --> 00:02:35,520 such as leaving out a closing parentheses 69 00:02:35,520 --> 00:02:38,100 or missing a semicolon inside their code. 70 00:02:38,100 --> 00:02:40,870 As a security analyst, you're much more likely to experience 71 00:02:40,870 --> 00:02:42,950 a runtime error than a syntax error 72 00:02:42,950 --> 00:02:45,610 because you're testing these things on a live environment. 73 00:02:45,610 --> 00:02:47,160 Now, when you create an error, 74 00:02:47,160 --> 00:02:49,030 this is also known as an exception. 75 00:02:49,030 --> 00:02:51,930 You need to be able to have a way to handle this properly 76 00:02:51,930 --> 00:02:54,606 and gather the details of the error and what caused it. 77 00:02:54,606 --> 00:02:56,280 To do this, you should use 78 00:02:56,280 --> 00:02:58,670 a structured exception handling mechanism, 79 00:02:58,670 --> 00:03:01,230 which gives you control over what the application should do 80 00:03:01,230 --> 00:03:02,650 when faced with an error. 81 00:03:02,650 --> 00:03:05,070 This is very helpful during debugging and testing, 82 00:03:05,070 --> 00:03:07,280 especially if you have a background as a programmer. 83 00:03:07,280 --> 00:03:09,810 Now that you know how exceptions are handled, 84 00:03:09,810 --> 00:03:13,080 how do you raise an exception or cause this error to occur? 85 00:03:13,080 --> 00:03:15,452 Well, the most common way is to provide the application 86 00:03:15,452 --> 00:03:18,010 with erroneous input as an end user. 87 00:03:18,010 --> 00:03:21,030 For example, let's pretend you're testing a web application 88 00:03:21,030 --> 00:03:23,840 that's designed to let somebody apply for a credit card. 89 00:03:23,840 --> 00:03:25,700 The application might ask for a lot of different 90 00:03:25,700 --> 00:03:28,300 pieces of information like the person's name, 91 00:03:28,300 --> 00:03:31,062 their birthdate, and their social security number. 92 00:03:31,062 --> 00:03:33,850 Let's say you're testing it and you enter John Smith 93 00:03:33,850 --> 00:03:38,130 for your name and 14/23/1985 for your birthday 94 00:03:38,130 --> 00:03:40,910 and ABCD as your social security number. 95 00:03:40,910 --> 00:03:42,840 Magically, an error happens. 96 00:03:42,840 --> 00:03:43,710 Why? 97 00:03:43,710 --> 00:03:46,240 Well, because there's no 14th month in the calendar. 98 00:03:46,240 --> 00:03:47,910 This is an erroneous input, 99 00:03:47,910 --> 00:03:49,890 and a social security number has to have 100 00:03:49,890 --> 00:03:51,360 nine numerical digits, 101 00:03:51,360 --> 00:03:53,530 not four letters like ABCD. 102 00:03:53,530 --> 00:03:55,110 If entering this type of information 103 00:03:55,110 --> 00:03:56,810 caused an exception or an error, 104 00:03:56,810 --> 00:03:58,060 this means that the programmers 105 00:03:58,060 --> 00:04:00,100 haven't been doing a good job of implementing 106 00:04:00,100 --> 00:04:01,831 proper input validation. 107 00:04:01,831 --> 00:04:04,647 All programs should use input validation 108 00:04:04,647 --> 00:04:07,770 when accepting information from their end users. 109 00:04:07,770 --> 00:04:10,687 After all, end users can make mistakes that cause an error 110 00:04:10,687 --> 00:04:13,670 and attackers can use erroneous inputs 111 00:04:13,670 --> 00:04:15,820 as a method to break a piece of software 112 00:04:15,820 --> 00:04:17,830 in order to gain access to information 113 00:04:17,830 --> 00:04:20,290 that the software application contains. 114 00:04:20,290 --> 00:04:22,930 Input validation simply means that programmers 115 00:04:22,930 --> 00:04:24,870 have written code that validates the information 116 00:04:24,870 --> 00:04:26,270 being received from the user 117 00:04:26,270 --> 00:04:28,760 and ensuring that it matches a specific format 118 00:04:28,760 --> 00:04:30,170 or a range of values. 119 00:04:30,170 --> 00:04:32,690 For example, if I'm asking for a social security number 120 00:04:32,690 --> 00:04:34,310 as part of this web application, 121 00:04:34,310 --> 00:04:37,130 I can create a simple program to help solve this issue 122 00:04:37,130 --> 00:04:39,060 and conduct input validation. 123 00:04:39,060 --> 00:04:41,660 For example, let's use this bit of pseudo code. 124 00:04:41,660 --> 00:04:43,852 Get the variable social security number. 125 00:04:43,852 --> 00:04:48,852 If the social security number is greater than 000-00-0000 126 00:04:49,860 --> 00:04:54,357 and the social security number is less than 999-99-9999, 127 00:04:55,320 --> 00:04:57,220 then I can do some function. 128 00:04:57,220 --> 00:05:00,200 Otherwise, I'm going to print some error and then retry. 129 00:05:00,200 --> 00:05:01,830 This piece of pseudo code validates 130 00:05:01,830 --> 00:05:04,100 whether the social security number being accepted 131 00:05:04,100 --> 00:05:07,530 is in the right format and in the right range of values. 132 00:05:07,530 --> 00:05:10,210 If not, then error handling will have to occur, 133 00:05:10,210 --> 00:05:12,170 like displaying an error message to the user 134 00:05:12,170 --> 00:05:14,840 to say the social security number they entered was invalid 135 00:05:14,840 --> 00:05:16,750 and they need to try again. 136 00:05:16,750 --> 00:05:19,620 Input validation is a key component to good coding, 137 00:05:19,620 --> 00:05:22,210 because attackers often use improper inputs 138 00:05:22,210 --> 00:05:23,430 as part of their attacks, 139 00:05:23,430 --> 00:05:26,070 such as in SQL injections, buffer overflows, 140 00:05:26,070 --> 00:05:27,959 and cross-site scripting attacks. 141 00:05:27,959 --> 00:05:29,983 Another aspect of system testing 142 00:05:29,983 --> 00:05:33,070 is to consider how are you going to test the code itself. 143 00:05:33,070 --> 00:05:35,585 Are you going to do this statically or dynamically? 144 00:05:35,585 --> 00:05:38,640 Static analysis occurs when the source code of a program 145 00:05:38,640 --> 00:05:40,370 is available for analysis. 146 00:05:40,370 --> 00:05:42,690 Static analysis is conducted by somebody 147 00:05:42,690 --> 00:05:45,080 who understands the language the program is written in 148 00:05:45,080 --> 00:05:47,510 and they can analyze the code for errors. 149 00:05:47,510 --> 00:05:49,690 These types of static analysis reviews 150 00:05:49,690 --> 00:05:52,180 can also be aided by the use of automation software 151 00:05:52,180 --> 00:05:53,670 to check for known vulnerabilities 152 00:05:53,670 --> 00:05:55,910 and bring them to the attention of a skilled programmer 153 00:05:55,910 --> 00:05:57,160 or analyst. 154 00:05:57,160 --> 00:05:58,670 During a static analysis, 155 00:05:58,670 --> 00:06:00,550 the software's code is not run 156 00:06:00,550 --> 00:06:03,060 but it's simply read to find those errors. 157 00:06:03,060 --> 00:06:05,740 Think of static analysis as your third-grade English teacher 158 00:06:05,740 --> 00:06:08,370 looking over your essay and marking it up with a red pen 159 00:06:08,370 --> 00:06:09,965 to show you all of your errors. 160 00:06:09,965 --> 00:06:11,990 Dynamic analysis, on the other hand, 161 00:06:11,990 --> 00:06:14,840 is performed on a program while it's being run. 162 00:06:14,840 --> 00:06:16,624 The most common type of dynamic analysis 163 00:06:16,624 --> 00:06:18,760 includes the use of fuzzing. 164 00:06:18,760 --> 00:06:20,990 Fuzzing, also known as a fuzz test, 165 00:06:20,990 --> 00:06:24,170 involves using a software program to insert randomized data 166 00:06:24,170 --> 00:06:26,270 in an attempt to find vulnerabilities. 167 00:06:26,270 --> 00:06:28,907 Fuzzing is used to determine possible system failures, 168 00:06:28,907 --> 00:06:31,230 memory leaks, error handling issues, 169 00:06:31,230 --> 00:06:33,910 and improper input validation as well. 170 00:06:33,910 --> 00:06:36,510 This type of testing works just like the earlier example 171 00:06:36,510 --> 00:06:38,140 where we tried to enter some letters in 172 00:06:38,140 --> 00:06:39,830 as our social security number, 173 00:06:39,830 --> 00:06:42,390 but fuzzing tries to enter lots and lots 174 00:06:42,390 --> 00:06:45,050 of randomized sequences to find any vulnerabilities 175 00:06:45,050 --> 00:06:46,530 or errors that it can. 176 00:06:46,530 --> 00:06:49,150 Fuzzing can occur on more than just a single program, 177 00:06:49,150 --> 00:06:52,550 but it also can be used on an entire network or system. 178 00:06:52,550 --> 00:06:55,040 For example, you could use a network fuzzer 179 00:06:55,040 --> 00:06:57,450 to help you stress test a new network you installed 180 00:06:57,450 --> 00:07:00,367 and determine its maximum capacity.