t23 html5 security testing at spotify

13
T23 Security Testing 5/2/2013 3:00:00 PM HTML5 Security Testing at Spotify Presented by: Alexander Andelkovic Spotify Brought to you by: 340 Corporate Way, Suite 300, Orange Park, FL 32073 888-268-8770 ∙ 904-278-0524 ∙ [email protected] www.sqe.com

Upload: techwellpresentations

Post on 01-Nov-2014

156 views

Category:

Technology


0 download

DESCRIPTION

HTML5 is one of the hottest technologies around right now because HTML5 apps are beautiful, engaging, and can perform important and entertaining functions. With the wide range of devices and platforms to support, the promise of multi-platform support is appealing. But HTML5 apps present their own range of security issues. So, what do you do about security? How do you test HTML5 applications to ensure their security? Alexander Andelkovic works at Spotify where their streaming music player desktop client applications are all HTML5-based. Alexander explains how manual testers can get the most out of HTML5 app security testing and manifest of HTML5 apps. He covers these common security testing issues and more: cross-site scripting (script inclusion), privacy-related issues, data leakage, and permissions. Discover how, by being proactive, you can avoid having to search for security issues late in a development project.

TRANSCRIPT

Page 1: T23 HTML5 Security Testing at Spotify

T23 Security Testing

5/2/2013 3:00:00 PM

HTML5 Security Testing at Spotify

Presented by:

Alexander Andelkovic

Spotify

Brought to you by:

340 Corporate Way, Suite 300, Orange Park, FL 32073

888-268-8770 ∙ 904-278-0524 ∙ [email protected] ∙ www.sqe.com

Page 2: T23 HTML5 Security Testing at Spotify

Alexander Andelkovic

In the software industry for more than fifteen years, Alexander Andelkovic currently works for the Platform Partners team at Spotify in Stockholm as a team lead, responsible for the approval process for Spotify Apps. An exploratory tester, Alexander is a driving force for implementing agile model-based testing techniques and an ambassador for session-based test management (SBTM). Previously Alexander worked as a test leader in the mobile Internet business unit at Microsoft and as an exploratory tester in the med-tech industry with focus on implementing SBTM. He has been a speaker at international conferences including STAREAST, STARWEST, and iqnite Nordic.

Page 3: T23 HTML5 Security Testing at Spotify

4/16/2013

1

April 16, 2013

HTML5 Security Testing at Spotify

Alexander Andelkovic, Spotify

AgendaIntroduction

Background

Approval process

Security testing

Summary

Questions

Page 4: T23 HTML5 Security Testing at Spotify

4/16/2013

2

Introduction – About me

- Lives in Stockholm, Sweden

- 15+ years testing experience

- Have a background in telecom and Med-Tech

- Test lead at Spotify

- Passionate about advanced test techniques

Background – Spotify Apps

- Apps(HTML5 & JS) integrated into Spotify music client(C++)

- Launched 30 Nov 2011 (at launch13 apps, today over 100

apps)

- Different categories of apps (discovery, concert, review,

social, lyrics)

- Manual QA process

Page 5: T23 HTML5 Security Testing at Spotify

4/16/2013

3

Background – QA Challenges- Spotify App = mini application

- Release high quality in no time

- Testing needs to scale over time(partners need to test)

- Stable test environment(new API, backend)

- Dependant on external development(partners)

Approval process - Introduction

- Steps that help partners ”release” high quality apps

- Approval steps: Concept > Development > Release > Update

- Average app development time 3 months

- Approval team around 10-15 persons

Page 6: T23 HTML5 Security Testing at Spotify

4/16/2013

4

Approval process - TeamApproval process - Team

- Product owners(prioritize tasks, final calls)

- QA(manual testers)

- Test automators(regression test)

- Designers(concept, prototype)

- Release manager(silent/big bang release)

- Product owners(prioritize tasks, final calls)

- QA(manual testers)

- Test automators(regression test)

- Designers(concept, prototype)

- Release manager(silent/big bang release)

Approval process - Partners

- One man shows

- Web developers

- App developers

- Inhouse development

Page 7: T23 HTML5 Security Testing at Spotify

4/16/2013

5

Approval process - Security

- App security tests performed by Security

Penetration Testers

- All ways of input needs to be tested

- Are HTML5 and javascript apps a security risk?

- Partner homepages

Approval process - Checklist- Approximately 50 teststeps(manifest, navigation, performance,

security etc..)

- Should be run through by partner before app submission

- Security testing performed on first/last submissions to find

vulnerabilities early/late

- Approximately 50 teststeps(manifest, navigation, performance,

security etc..)

- Should be run through by partner before app submission

- Security testing performed on first/last submissions to find

vulnerabilities early/late

Page 8: T23 HTML5 Security Testing at Spotify

4/16/2013

6

Approval process - Concept- An app shall bring ‘valuable content’ or something ‘unique’ to

the Spotify experience.

- A good concept will save development time

- Summary, Mockups, Wireframes, Screenshots, Alpha version

- How are the app going to be secured

- No development should be started until concept is approved

Approval process - Development

- App development can start after concept approved and agreement

signed

- App should be submited for approval when ”production ready”

- QA gives thorough feedback on app quality and security

- An app is approved when ”all” issues are resolved

- App development can start after concept approved and agreement

signed

- App should be submited for approval when ”production ready”

- QA gives thorough feedback on app quality and security

- An app is approved when ”all” issues are resolved

Page 9: T23 HTML5 Security Testing at Spotify

4/16/2013

7

Approval process - Release

- When an app is approved a release date and market(s) are decided

- PR involved(internal, external)

- Release manager inform partner when app is live

- Live app needs to be maintained(api updates)

- When an app is approved a release date and market(s) are decided

- PR involved(internal, external)

- Release manager inform partner when app is live

- Live app needs to be maintained(api updates)

Approval process - UpdateApproval process - Update

- Bugfixes, tweaks, small features

- Requires new App Submission

- App goes through the approval phase for Development again

- ”New” version treated as a new app concept(approval phase concept)

and needs to be security tested again

- Bugfixes, tweaks, small features

- Requires new App Submission

- App goes through the approval phase for Development again

- ”New” version treated as a new app concept(approval phase concept)

and needs to be security tested again

Page 10: T23 HTML5 Security Testing at Spotify

4/16/2013

8

Security testing – Permissions and the manifest

- The manifest is a JSON file included in every application

- The manifest declares what rights the application have (what web

addresses it may contact and how much of the api it has right to use)

- A 3rd party application may never have the private permission

- If “Required Permissions” is declared in manifest, it cannot contain

wildcard domains:

"*.soundrop.com" is OK. "*soundrop.com" is NOT OK.

UNSPECIFIED WILDCARD domains is also not allowed, e.g. "http://*.*"

Security testing – Basic html

<html>

<body>

<script>alert(0);</script>

<!-- This is a comment. Below is an example text -->

<p>Example text</p>

</body>

</html>

Page 11: T23 HTML5 Security Testing at Spotify

4/16/2013

9

Security testing – Script inclusion

- User-controlled input means security risks

- If entering "<script>alert(0);</script>" shows you a popup containing "0" the string is

parsed as HTML = bad

- Try entering HTML into any and all input fields (search-boxes etc.)

If entering "<!--this-->that" only shows you "that" means the string is parsed as HTML = bad

Partner should use html-escaping for the name and description for music stories instead of

using strip_tags() for security reasons.

Security testing – Privacy and prevention of data-leakage

- 3rd parties may never find out who the user is, except if the user

authenticates

- 3rd parties should only transmit information to its backend that

is needed for intended operation

- Performed by penetration testers

Page 12: T23 HTML5 Security Testing at Spotify

4/16/2013

10

Summary

- App security needs to be addressed during whole app lifecycle

- Challenge to ”trust” external parties

- App security is as secure as it’s weakest link

- Security test early and late

QuestionsQuestions

[email protected]@spotify.com

Page 13: T23 HTML5 Security Testing at Spotify

4/16/2013

11

April 16, 2013

Thank you!