Arvind's journey stared with the need to First you create Tests for WebServices, then you add the abuse/security cases . He then started coding Python scripts and Unit tests on his journey into testing WebServices in a developer friendly way with some interesting side effects: If you not blowing up the database, you're not testing the whole app.
After that he wrote:
- My first working..independent…unit tests :)
- Authorization testing…analysis logic added
- Unit Tests – Handling complex arguments with Suds
and then asked me the "...humm, where can I get the Authorization mappings? (so that I can check my results against them)"
I was waiting for this question because that is one of the signs that a security test is going on the right direction (btw, if you have commissioned a security assessment and did not get that question you should be worried! ).
Basically what he wants is a mapping of TeamMentor's Authorization Rules, namely which functions should be accessed by the multiple security roles (Anonymous, Reader, Editor and Admin).
And this 'simple question' just happens to be one that very few applications and developers have! (tip: if you find the answer and share it with the developers, you will move from being a TAX into being a 'visualization engine')
Usually when we (the security guys) ask this question, we get some old document that explained what they where trying to do, or some guy with pen+whiteboard doing a big diagram :)
My view is that it is impossible to have any type of decent assurance that an application doesn't have authorization blind spots without these mappings. One important factor is that they (the mappings) need to be created in a consumable way, so that they can be verified via automated scripts like the ones Arvind is writing (or by 3rd party scanning tools/services)
So where are this mappings?
Well ... they exist in the application's source code code and (sometimes) in its data (like config-files or database tables).
Here is another example of why automated tools will never be able to have good coverage until they are customized.
In the case of TeamMentor the formula is exclusively in the code, since it uses .NET CAS (CodeAccessSecurity) permissions to issue a Security Demand before security sensitive actions are performed.
What is going to happen next, is that I'm going to use O2's Static Analysis engine to parse the code and extract the current formula into a format that Arvind can consume it.
- Roadmap for Testing an WebService's Authorization Model - detailed description of what needs to be done
- Testing TeamMentor 2.0 security using O2 - how I did this in the 2.0 version of TeamMentor