Risk based Security Testing in Multi Tenant Cloud
Application:
Despite of extensive Functional testing and Security, we see
many instances of software when attacked or during normal operations, performing
adversely in ways that were not anticipated. In large part, this is due to not
testing fully for negative functionality, ensuring that applications do not do
what they are not supposed to do. Most of the times QA might not give
importance to negative testing due to spending much time on functional testing
and pressure to complete testing on time.
In Multi tenant application, It is verify important that QA
needs to ensure that data in application is secure and safer either during
functional testing or negative testing. For example, User Management is a
typical feature in any multi tenant
application. In Multi Tenant Application,
Users from different tenants will use same application and database without
knowing each others. QA should ensure that customer data should be safe and
secure during functional testing. In this blog, we can explain few scenarios
how can QA identify the security holes during functional testing in Multi
Tenant Applications.
To get the security loop holes in the Product, QA can get
the required information about the product/Customers using below steps
- Logged into the system using Chrome/Firefox browser.
- Do start functional testing in UI and Preserve the network calls in browser using developer tools in browser.(Press F12 key to enable this)
- Observe Each and every network call for every UI operation to get the details of Rest API which will be invoked at back-end
- Go through the Request headers and Responses for each Request to get the information about what kind of authorization is required to invoke the back end service directly.
QA will get enough information for each back end API during
functional testing by following above steps. Now QA can try the following
scenarios as part of Security Testing for typical UserManagment feature using
Post Man by invoking directly back-end calls. There are chances of handling the
following use cases in UI level but not at back end service level.
- Logged into the system as a Tenant A’s user with admin role and Try to add a user in another Tenant B using add user API using post man.
- Logged into the system as a Tenant A’s user with admin role and Try to get the user details of the Tenant B using get users API using post man.
- Logged into the System as a Tenant A’s user without admin role and try to manipulate the user details of same tenant and other tenant using edit user API using post man
- Logged into the system as a Tenant A’s user and try to delete all the users in other tenant using delete user API using Post Man
No comments:
Post a Comment