Risk based Security Testing in Multi Tenant Cloud Application

Risk based Security Testing in Multi Tenant Cloud Application:

Despite of extensive Functional testing and Security, we see many instances of software when attacked or during normal operations, performing adversely in ways that were not anticipated. In large part, this is due to not testing fully for negative functionality, ensuring that applications do not do what they are not supposed to do. Most of the times QA might not give importance to negative testing due to spending much time on functional testing and pressure to complete testing on time.

In Multi tenant application, It is verify important that QA needs to ensure that data in application is secure and safer either during functional testing or negative testing. For example, User Management is a typical feature in any multi tenant

application. In Multi Tenant Application, Users from different tenants will use same application and database without knowing each others. QA should ensure that customer data should be safe and secure during functional testing. In this blog, we can explain few scenarios how can QA identify the security holes during functional testing in Multi Tenant Applications.

To get the security loop holes in the Product, QA can get the required information about the product/Customers using below steps 

1.  Logged into the system using Chrome/Firefox browser.
2. Do  start functional testing in UI and Preserve the network calls in browser using developer tools in browser.(Press F12 key to enable this)
3.  Observe Each and every network call for every UI operation to get the details of Rest API which will be invoked at back-end 
4.  Go through the Request headers and Responses for each Request to get the information about what kind of authorization is required to invoke the back end service directly.

QA will get enough information for each back end API during functional testing by following above steps. Now QA can try the following scenarios as part of Security Testing for typical UserManagment feature using Post Man by invoking directly back-end calls. There are chances of handling the following use cases in UI level but not at back end service level. 

1.  Logged into the system as a Tenant A’s user with admin role and Try to add a user in another Tenant B using add user API using post man.
2. Logged into the system as a Tenant A’s user with admin role and Try to get the user details of the Tenant B using get users API using post man.
3.  Logged into the System as a Tenant A’s user without admin role and try to manipulate the user details of same tenant and other tenant using edit user API using post man
4. Logged into the system as a Tenant A’s user and try to delete all the users in other tenant using delete user API using Post Man