Security Evaluation for WidgetsInc Web-Store

Verified

Added on  2023/06/12

|11
|4054
|388
AI Summary
This report provides a security evaluation for WidgetsInc web-store, including methods used in testing the system, classes of threats, faults found, and recommendations for securing the system.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.
Document Page
SECURITY EVALUATION
Insert Your Name Here
Insert Your Tutor’s Name Here
Institution Affiliation
Date

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
Report for the WidgetsInc web-store security evaluation
Introduction
WidgetsInc requested for a performance security evaluation for the web-store. The security
evaluation is to be done by Benny Vandergast Inc. The security evaluation is meant to reveal the
flaws in the security measures implemented in the web-store. The main objective of security
testing is to find how vulnerable a system is. The system security evaluation is used to determine
how secure the resources and the data are protected. The security evaluation is used to test if un-
authenticated users can access the web-store and steal data in the system or violate the system
process. If a company uses web-store, most transactions are done online and the data has to be
secure. Online transaction will be many and the transactions have to be accurate and the data
should be secure. Security evaluation ensures that the system is efficient and effective. The
attributes of security testing include: availability of the system, authorization, confidentiality,
integrity, resilience, authentication and non-repudiation.
Security testing for a web-store application is very important. System testing is done to avoid
cases such as: loss of customer trust, costs of dealing with application attacks in the future, the
web-store downtime, time loss and the expenditure of recovering from down time.
There are various classes of threat to a web-store. The classes include: privilege evaluation, SQL
injection, URL manipulation, and unauthorized data access, denial of service, identity spoofing
and cross-site spoofing (Getting, 2018). The privilege evaluation involves a hacker who has an
account in the system and the hacker tends to increase his/her privileges to a supper user. The
hacker is then able to run the code of the system and could compromise the entire web-store
application. SQL injection involves an attack technique by the hackers. The hackers tend to
insert a malicious SQL in the field of execution that can result to the system providing critical
information from the database. The hacker could use the information to vandalize the whole
system. The attack takes advantage of the present loopholes of the system. Unauthorized data
access is another major attack in the systems (Kauffman and Tallon, 2014). There are various
types of unauthorized access. They include: unauthorized access to data by data-fetching
operations or use of other systems to access data and unauthorized access to the network, which
Document Page
includes the servers and servers. URL manipulation involves manipulation of the website URL
query strings.
Denial of service involves exemption of the legitimate users of the system from accessing the
system resources. The attack could render the entire system unusable. Data manipulation
involves a hacker changing the data of a website to have some advantages. The hackers tend to
change the HTML pages to be offensive. Identity spoofing involves the hackers acquiring the
credentials of a legitimate user. The hacker then attacks the network hosts or can even steal data.
Finally, cross-site scripting is a common threat to the web-store sites. The hacker tend to inject
client-side script in to the system. The users of the system could click on the links. Some of these
links could allow the hacker to steal some information from the system. The hacker could also
perform some wrong actions pretending to be the legitimate user.
Security investigation of the system
Benny Vandergast Inc. provided a VMware machine that was used in the testing process.
Virtualization technology has advanced from only hardware virtualization to data virtualization,
network virtualization, storage virtualization and memory virtualization. Each scope of
virtualization has its own specification. Virtualization testing is very useful and advantageous in
testing of software such as the web store for WidgetsInc.
There are a number of that were used in the investigation of the system security. The methods
involved in testing the system include: cross-site scripting, ethical hacking, password cracking,
penetration testing, risk assessment, security auditing, security scanning, SQL injection, URL
manipulation, posture assessment and buffer overflow testing (Singh, 2016).
The testing process involved four techniques. The practices include: tracking down issues that
would be recreated, solving resource collision during testing, getting control when the matrices
involved in testing become hard to manage and to use smart VMware monitoring (Diez et al.,
2016). First, there were issues that had to be tracked. This were the issues that would not be
recreated again. There were bugs that would cause the system to crash and could not be
reproduced. With such bugs, the testers would not get information on what led to the crashing of
the system. To optimize testing on such issues some tools used to record or replay the processes
are necessary. For the scenario, VMware Snapshots was used (eCommerce, 2013). The VMware
Document Page
Snapshots allowed the testers go back to the entire execution that led to the crash. With the
VMware Snapshots also allowed the tested view the threads and processes to see what lead to the
crashes that were experienced with the system. The recorded activities were saved in a file for
easy retrieval if needed.
The second practice that was implemented, was solving resource collision during the testing
process. Some tests would not be implemented concurrently due to the challenges of acquiring
the resources. The testing for such environments was successful by use of cloning and network
fencing. Testing was possible in many environments at the same time. For example, it was
possible to test for user authentication, test for regression, test for integration at the same time.
The third practice that was involved was, to manage the situation even when the test matrix was
becoming hard to manage. There were situations whereby, the testing crew would encounter
tough trade-offs in the test matrix and the quality of software that is going to be released. To
solve the situation, the testing crew created templates that were using to establish the level of
testing. For example, at the testing crew had Level One as website testing, Level two as
operating system, Level Four as database testing and Level Five was the network. There were
various tests at each level.
Finally, the group had to deploy a smart VMware monitoring system. After the implementation
of a new software, there is need to keep an eye on the environment. Opvizor is the right tool for
monitoring the VM ware environment (opvizor, 2018). The tool does not require one to keep
watching the result. The tools sends notification once it detects a problem in the system. Also
Snapwatcher was used to capture the snapshots and stay on the VMware environment. The
Snapwatcher is useful in monitoring the behavior of a system.
The virtualized testing needed to be efficient and automated. Virtualization provide better
utilization. The testing crew can revert the system to the previous state. This means cleanup is
easy and the team could easily debug the problems using the snapshots generated. Virtualized
testing involves minimal loss in the server crashes. VMs are basically file which can be backup
up for retrieval in case of any loss. VMs provides a pool of resources. This means that there is no
need to reconfigure the images in case of a new physical server. The team created a pool of
resources. This minimizes the cost required for testing. The VMs testing is easy to maintain and
the processes automated. This means that there was minimal effort required from the group that

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
was assigned the testing activity of the e-commerce system. The VMs could also be replicated
through virtualization and the already available automation scripts.
Set up and configuration of virtual test environment
Benny Vandergast Inc needed the virtualization infrastructure to install VMware ESXi
Hypervisor. The ESXi provides the tools to run and manage virtual machines. Then, the group
needed to create a virtualized testing environment. The testing environment was set in an empty
VM. The group installed the Guess operating system and the applications required in testing the
web-store system. The VM was cloned to create the VM many times during the testing process.
Windows Server 2008 and JBoss Application Server 6 were installed on the Virtual Machine
(Mastering Vmware Vsphere 4, 2011). That was the manually configured server. The server
needed to be automated. Therefore, the tool that was used is called VMware vSphere PowerCLI.
The tool is closely developed with the VMware infrastructure called vSphere . PowerCLI has
many useful features, but only a few were utilized in creating the testing environment (Dekens,
2016).
PowerCLI uses the Microsoft Power Shell platform. Microsoft Power Shell is a powerful tool but
user-friendly, as it provides the console commands. The console commands are quite useful in
Windows products such as IIS, SQL server, MS Office and many more. PowerCLI was
connected to the VMware EXSi Server. The necessary tools were installed in the VM, as it
improves the VM performance and makes some challenging operations simpler. The network
interface cards of the operating system were installed on the virtual machine configuration. A
dedicated IP was set for the test infrastructure. The VM’s IP was updated. A snapshot was
created after the process of configuring the network. The snapshot would be useful in case there
was need of reverting the VM to the previous state. The snapshot was also created in case of
future use.
Next, an environment was created for the configuration files. Some data about the environment is
useful. NIC objects were used in the creation of the configure files for the purpose of future tests.
The $nic variable continues the IP, DNS and sub-net mask information. The hash-table “$env”
was used for executing the tests. There was need to set up the tests and the test frameworks.
Document Page
The web-store software need to be installed. This was the software to be tested. The sources were
synced with the test and the frameworks (Ixiacom.com, 2018). Some report templates were
prepared. The Microsoft products were managed via the PowerShell API. A number of
executable files, compressed files with the script were copied to the Virtual Machine. The tests
were then synced from the source control repository (Softwaretestinghelp.com, 2018).
Once the scripts were executed they return the results to the screen while working in the Virtual
Machine. One can monitor the progress of a long test. The invoke VMScript is used to execute
many scripts. Another snapshot was taken at this level, for use in case revert is necessary (Halal,
2008).
After the execution was complete a report is created. The report holds information about the test
reference, test status, log files and the number of execution that took place for a specific task.
The report can be set to be sent to various people. In case of another test, a clean-up of the
environment is done and a reverted to the snapshot that was taken at the beginning. With this
process, then multiple tests can be done as the errors are found until all the errors are fixed.
Test Reports
The web-store was found to have some faults. The faults include unwanted script or scripts that
are not trusted. By the use of Cross-site scripting was performed in the web store. A script was
tried to be added in the application (Offutt, 2008). If the system accepted any of the scripts, then
the system is prone is to attack. With the web-store application the script was accepted. This
depicted the system is not secure and is prone to attack and manipulation. Attackers tend to use
script to run malious processes on the browser (Smartbear.com, 2018). This attacks tend to use
scripts to expose the credentials of various users in the system.
The scripts can easily be detected using PowerShell. One can change the execution policy of
such scrips by changing the execution policy. Also, some password of various people were easy
to be guessed. The user account with easy to password can be easily used by hacker to have
access into the system and manipulate some changes in the database and the system processes.
The users with the account were advised to change the passwords and develop strong password.
Also, the system administrator was urged to only allow user with strong passwords. The software
to be used in creating password is password generator. Also, the system does not prohibit
Document Page
multiple logins. The other fault in the authentication bit, in the time of inactive the session ID do
not expire. The session ID could be stolen or can be predicted by a hacker. The hacker can take
over a genuine user’s online identity and misuse that (Nahari and Krutz, 2013).
The server in which the site is hosted, lacks the backup plugins. Backup for every data is every
essential. The company should incorporate backup devices from backing up of data in case of a
system failure. In case there is a vandalism to the servers and the server have no backup, there
are high chances of losing much data. The website store was also prone to the price manipulation
(Pandey and Rastogi, 2010). This is accessed by the hackers through the payment gateways.
Most cases, some hackers may use software such as Achilles to change the amount that is
payable. The changes could be made as the following image shows. An intruder can lower the
price and get away with the data without recognition. Finally, the server in which the web-store
is installed does not have an antivirus. The system is prone to attack by malicious software that
the hackers could insert in the web pages once the hackers gain access to the site. The malware
could also be found on the workstations in the office. There are difference ways in which
malware is installed on the site. Malware could be installed into the site via cross-site
contamination or widespread malware infection. The malware infection can lead to introduction
of botnets in the system and DDoS attack. Stealing of the credit card information for the clients.
Malware can also be used to spam.
How to secure the system
Apart of the issue listed above the system will be okay once okay. The configuration set up of
the e-commerce site was set are required (Schiff, 2018). There are a number of ways to enhance
the security of the web-store. The security measures include: having digital certificates,
encryption of date in transit, installing antivirus, performing a security audit on the system
regularly many other factors (TechGenYZ, 2018).
First, the scripts that are in the site that are not trusted. The script can be identified and the
removed from the system. Also, include the white-list input validation. The web application on
the computers and the servers should up-to –date. Mostly, the outdated applications tend to be
more vulnerable to the cross siting scripts. Maintaining the updated version of web –application
or the software is very necessary (Symantec.com, 2018).

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
Secondly, the aspect of authentication insecurity could cause much havoc into the system
(business.com, 2018). As the credentials could be stolen or compromised. The best way to solve
this problem in the system is to use the Two Factor authentication method. This involves the
addition of an extra lay of security in the e-commerce sites. The two factor authentication
involves using two means of identification (Uky.edu, 2018). First a user is required to enter the
log in credentials. Secondly, is the use of a generated in real time message sent to the phones or
send to email. The hackers may succeed in the first step but not in the second method of
authentication (Vranken and Poll, 2015).
Thirdly, the company need to educate the users on the importance of using strong passwords.
The employees to be trained on the importance of not sharing their login credentials to others.
The employees should be informed not to email or test email any sensitive data. The system
could be hacked. The hackers and the hackers may end up having sensitive data or the customer
personal information.
The company is required to install antivirus software in various workstation and the server. The
antivirus will help in preventing the malware from getting in the network system. Finally, the
company should have a monitoring system that keeps track of all activities on the site and then
send notification to the administrator in case a system intrusion is detected. Tools such as
Woopra and Clicky allow easy monitoring of the visitors who are navigating across the website
in real-time. When the steps will be implemented then the e-commerce site will be secure of any
threat.
Conclusion
The virtualization method of testing a system is easy and efficient. The testing is scalable and
agile as one can create more Virtual Machines that are used to run the tests. There are also
minimal chance of losing data. This is successful with the help of snapshots can be reverted to
get the previous data. The VMs can also be reverted to clean data without losing any
configuration. With the VM testing there is no fear of hardware failure. VM actually behave like
the hardware only that they involve sharing of resources. The VM can be cloned into multiple
Document Page
VMs. The automated nature of VMware testing makes use of high-testing rated tools to give
accurate reports.
Recommendation
The security evaluation on the system was performed successfully (Performance Testing: A
Comparative Study and Analysis of Web Service Testing Tools, 2018). The security gaps that
were found in the system should be looked into and the necessary measures takes to reduce the
risks in the business. Once a business has implemented the proposed ways to enhances system
security, the company is assured of enhancing trust with the customer (Chen et al., 2008). More
customers will buy goods and services from WidgetsInc and the profit margin will increase. A
secure system will have accurate and reliable data. The accurate data will be used in the decision
making of the company.
References
Schiff, J. (2018). 15 Ways to Protect Your Ecommerce Site From Hacking and Fraud. [online]
CIO. Available at: https://www.cio.com/article/2384809/e-commerce/15-ways-to-protect-your-
ecommerce-site-from-hacking-and-fraud.html [Accessed 22 May 2018].
business.com. (2018). E-commerce Security: Protect Your Store - business.com. [online]
Available at: https://www.business.com/articles/e-commerce-website-security-5-best-practices-
to-protect-your-online-store/ [Accessed 22 May 2018].
opvizor. (2018). 4 Best Practices for Software Testing With VMware. [online] Available at:
https://www.opvizor.com/4-best-practices-for-software-testing-with-vmware/ [Accessed 22 May
2018].
Document Page
Softwaretestinghelp.com. (2018). How to Install and Use VMWare Virtual Machine in Software
Testing — Software Testing Help. [online] Available at:
https://www.softwaretestinghelp.com/how-to-install-and-use-vmware-virtual-machine-in-
software-testing/ [Accessed 22 May 2018].
Symantec.com. (2018). Common Security Vulnerabilities in e-commerce Systems | Symantec
Connect. [online] Available at: https://www.symantec.com/connect/articles/common-security-
vulnerabilities-e-commerce-systems [Accessed 22 May 2018].
TechGenYZ. (2018). What is e-commerce and what are the major threats to e-commerce
security?. [online] Available at: https://www.techgenyz.com/2017/04/05/e-commerce-major-
threats-e-commerce-security/ [Accessed 22 May 2018].
Getting, B. (2018). Protect Data From Cross-Site Scripting (XSS) Attacks | Practical
Ecommerce. [online] Practical Ecommerce. Available at:
https://www.practicalecommerce.com/Protect-Data-From-Cross-Site-Scripting-XSS-Attacks
[Accessed 22 May 2018].
Pubs.vmware.com. (2018). VMware vSphere 5.1. [online] Available at:
https://pubs.vmware.com/vsphere-51/index.jsp?topic=%2Fcom.vmware.powercli.cmdletref.doc
%2FGet-ErrorReport.html [Accessed 22 May 2018].
eCommerce. (2013). Controlling, 25(6), pp.311-311.
Offutt, J. (2008). Editorial: Software testing is an elephant. Software Testing, Verification and
Reliability, 18(4), pp.191-192.
Dekens, L. (2016). VMware vSphere powerCLI reference. Indianapolis: Sybex, a Wiley brand.
Mastering Vmware Vsphere 4. (2011). Sybex Inc.
Vranken, H. and Poll, E. (2015). Software security. Heerlen: Open Universiteit.
Smartbear.com. (2018). What is Service Virtualization? | SmartBear. [online] Available at:
https://smartbear.com/learn/software-testing/what-is-service-virtualization/ [Accessed 22 May
2018].

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
Ixiacom.com. (2018). The Ixia Difference in Virtualization Testing | Ixia. [online] Available at:
https://www.ixiacom.com/resources/ixia-difference-virtualization-testing [Accessed 22 May
2018].
Uky.edu. (2018). E-commerce securities. [online] Available at:
http://www.uky.edu/~dsianita/390/390wk4.html [Accessed 22 May 2018].
Kauffman, R. and Tallon, P. (2014). Economics, Information Systems, and Electronic
Commerce. Hoboken: Taylor and Francis.
Nahari, H. and Krutz, R. (2013). Web commerce security. Hoboken, N.J.: Wiley.
Halal, W. (2008). Technology's promise. Houndmills, Basingstoke, Hampshire [England]:
Palgrave Macmillan.
Singh, N. (2016). A Survey of Threats to E-Commerce Applications. Research Journal of
Science and Technology, 8(3), p.145.
Pandey, D. and Rastogi, A. (2010). A Critical Research on threats and security technology
related to Payment System on E-commerce Network. International Journal of Computer
Applications, 8(3), pp.11-14.
Chen, J., Schmidt, M., Phan, D. and Arnett, K. (2008). E-commerce security threats: awareness,
trust and practice. International Journal of Information Systems and Change Management, 3(1),
p.16.
Diez, H., Segura, Á., García-Alonso, A. and Oyarzun, D. (2016). 3D model management for e-
commerce. Multimedia Tools and Applications, 76(20), pp.21011-21031.
Performance Testing: A Comparative Study and Analysis of Web Service Testing Tools. (2018).
International Journal of Recent Trends in Engineering and Research, 4(3), pp.95-100.
1 out of 11
circle_padding
hide_on_mobile
zoom_out_icon
[object Object]

Your All-in-One AI-Powered Toolkit for Academic Success.

Available 24*7 on WhatsApp / Email

[object Object]