190 likes | 380 Views
Security Testing In Business Intelligence Tools. Aswathi Mohanan Abhishek Nagar Infosys Limited (NASDAQ: INFY). Abstract.
E N D
Security Testing In Business Intelligence Tools Aswathi Mohanan Abhishek Nagar Infosys Limited (NASDAQ: INFY)
Abstract In IT world ,we deal with the transactions and to secure those transactions we bring in SECURITY TESTING. Basically , security testing can be termed as a test process done to ensure that information is secured and is available only to the intended recipient . Security at the application level is necessary because the data comes in request messages for which the network security systems are not enough . Therefore ,security at the application level is important. Now a days media is reporting security breaches regularly on the internet. when most of the records are now in electronic form rather than in books, records etc resulted in increased the data security risks in web and Applications. Confidential information like bank facts, health records, credit card details need to protected as utmost in a business/firm for a high-quality customer relationship. Here security Testing serves as a well-built lock to the end user’s business entities .
Abstract (cont..) • Data is a significant asset to an enterprise . As Business Intelligence tools play a vital role in assessing this data and generating the reports so their role is of paramount importance in the security testing . Here we focusthe security vulnerability existing in assessing the data through a Business Intelligence Toolwith the analyzed problem descriptions and their applicable solutions. In this presentation we will discuss about the testing strategy involved in validating the user privileges in the Business Intelligence Tool. And also how an application should response or intimate when a malicious input supplied into it.
Outline of the Tutorial • Introduction/Background of Security Testing(30 mins) • Objectives of the session • Context setting – Predictions & future • Expectation from Audience • User Input Vulnerabilities • User Input Validations • FuzzTesting • Future Direction/Long Term Focus(30 mins) • Results/Conclusion(15 mins)
What Target Audience gain?? • This tutorial can benefit: • Senior Test Managers in helping them to understand how the testing strategy is important to secure the security vulnerabilities which exist in accessing the data from a data warehouse. • Test Managers to understand the testing strategies and primarily about the role of BI tools– what can be tested and what practices can lead to overcome the challenges and lead to smooth Security Testing • Test Leads/Engineers to understand the picture of complete Security Testing ,Importance of BI tools along with the challenges which can come on the way
Schematic diagram of Test Strategy Analysis • Test Execution phase (Applying Test data to the BI Tool)
Introduction/Background of the Security Testing Topics covered: 1.Objectives of the session 2.User expectations 3.Expectation from Audience
Objectives, Expectations… • Objectives of this session – Is to present a clear picture of the concept of security Testing strategies used to test the security of a BI tool. • we have presented some problem statements and their solutions • in this paper • Your Expectations for this session – Learning of the Security Testing strategies to ensure the security of the Data. Leverage security testing awareness by demonstrating real time security issues. • Ground rules – More and More Interaction will put the foundation of this session.
Introduction/Background on Business Intelligence • Business Intelligence tools fetch the data-pertaining to an organization’s decision making and reporting- from multiple sources . • Confidential data of an organization needs to be protected from unauthorized access. • Impersonation, Tampering of the data are some of the ways by which the information might be stolen . • Security issues might lead to disclosure of sensitive information leading to the reduction of the client’s interest in an organization. • Hence, the software developers must consider security as a crucial parameter in order to meet critical business needs and requirements.
Security Hierarchy Basic security Requirement Hierarchy constitutes the following components Data security Requirements
Loss on Security Breach Damages incurred due to several malicious injections/Security breach happened are depicted below. These types of damages a are more vulnerable to areas like 1. BI Tools 2. User Interface Applications 3 . Communications
Introduction/Background Most security issues and their risk accumulation on various segments are demonstrated below(self data analysis): security Risks (X-Coordinates) and Areas of vulnerability (Y- Coordinates)
User Input Vulnerabilities in BI Tool BI Tool contains data/information from different line of businesses ,so the processed data protection is a obligation to all end users. User Injection attacks plays a vital role in processed data security breach. Variety of Input Injections are listed below.
Testing Approach followed for Security Testing in BI • Among the several user input vulnerabilities we are featuring on • the User Malicious input Injection in a Business Intelligence Tool. • Hence , our solid issue is malicious user input and its solutions: • User Input Validation • Fuzz Testing
User Input Validation (Solution1) • User Inputs can be tested either manually or by automation mode. • Analysis tools are implemented in scenarios where the operation of the application is simple (not allowing a user to login by showing an error message when he provides incorrect credentials). • The analysis tool generates the input values and record the output which is then compared against the expected results to find the loopholes. • Manual analysis comes into the picture where complex business logics are involved.
Fuzz Testing (solution 2) • FUZZ Testing is a technique in which invalid inputs are fed to the BI tool and then monitored for application behavior. • BI tool should function properly even with these false inputs and should be invulnerable to any security breach through these false inputs. • As these false inputs may contain any malicious line of code enough to breach the security of the tool. • It’s a negative approachh to monitor a worst scenario in an application. This solution is performed with an intention to find a security bug in an application. • The real issue faced by end used will be revealed as a result of the application of this solution.
Application Of User Input Vulnerabilities • Testing the security vulnerability in BI tools involves the following steps: • Identification of user input forms • Understanding the business requirement behind the user input forms. • Preparing the Test Cases(Negative) and Test Data • Test Execution • Reporting Security Breaches
Future Direction The Business Intelligence tools are of paramount importance when related to an organization’s decision making .Each and every tool comes with user interaction forms in which user provides inputs. A single false input may lead to false data generation , disclosure of sensitive information or any other security breach .In other words , it exposes security vulnerability if the input is not correct . Hence as long as an organization uses BI tool input validation is unavoidable .In the coming era , use of these tools is going to be augmented to a very huge extent which may lead to greater complexities therefore the concept of security testing in data warehouse(BI tools) should be given utmost importance.
Conclusion Security Testing in data warehouse is a necessity in the present era of Information Technology . It is even applicable to small data marts and very useful when seen in the context of data mining. In the end, we conclude stating that User Input validation is advantageous than fuzz testing .It covers both the valid and invalid scenarios whereas fuzz testing tests the tool behaviour to the negative scenarios. As stated earlier ,transactions are electronic now a days hence, to ensure that the data remains consistent and should not reach to any wrong hands ; SECURITY TESTING is necessary