The challenge for Day Thirteen is – Perform a Security analysis for requirements in a story.
I interpreted this challenge as “demonstrate how you would consider the security implications in a user story”.
If you are new to the concept of a user story Wikipedia defines it as an informal, natural language description of one or more features of a software system. User stories are often written from the perspective of an end user or user of a system.
User stories often follow the format of:
“As a <type of user>, I want/need to <action/goal> so that I can <outcome/result/benefit>”
“As a customer of ExampleEcommerceCo I want to add items to my shopping cart without navigating away from the products list so that I can continue shopping and pay for them with my credit card later”
From looking at this story at first glance it might look very straightforward, but as is often the case with software there is more than meets the eye
To do a security analysis of this story I would break down the elements:
“As a customer of ExampleEcommerceCo”…
What defines a customer?
- Do they need to create an account – if so what details are required from them and how securely is it stored/transferred in the application
- Do they need to authenticate – if so what are the methods? Are there any rules on password complexity? 2 Factor Authentication? Logging in via a 3rd Party? (e.g. Facebook or Google login)
- Are there different permissions for users? What access/permission does a customer have, how is this defined and enforced? Is it possible for a user to change their permissions – should this be allowed?
- Are there requirements for being a customer? e.g. geo blocking, ip address restrictions etc – how does this affect security?
- Do customers of ExampleEcommerceCo have shared access to other apps/sites? e.g. does their ExampleEcommerceCo login allow them to access ExampleUtilityCo – what does this mean for security?
- How does a customer reset their login credentials? How secure is this process?
“I want to add items to my shopping cart without navigating away from the products list”…
- Was the shopping cart designed in-house or provided by a 3rd party?
- Can other users access this customers’ shopping cart? Should they be able to, and why?
- Is it possible to steal this customers cookie and impersonate them to access the cart?
- How secure is the data related to the cart? Will other parties know what the customer is purchasing, is this a breach of privacy? Could it impact the customer negatively or harm the reputation of the company?
- Is it possible to intercept requests to/from the cart? Can these be modified?
- “without navigating away from the product list” – what other pages/areas is the cart available from – does this have any security implications? (e.g. can you see it from the login screen?)
- How does the user access the cart without leaving the product page? E.g. is this a pop-up, or opened within the same page etc – does this have any security implications?
“so that I can continue shopping and pay for them with my credit card later”
- How does the customer enter their credit card details? How secure is this process?
- Does the customer save their credit card details in their account? How and where is this information stored? How is it accessible?
- Is the payment function developed in-house or provided by a 3rd party?
- Do the contents of the cart remain available after the customer has logged out? How visible is this?
- Is it possible to hijack the customers session?
The list could go on but I’m sure you’ve had enough reading and get the idea.
With each of the questions you generate consider how you would test it and what it means for security.
Thanks for reading my post and following my progress through the 30 Days of Security Testing.
Feel like joining in? Sign into the WeTest Slack group and get involved!