T23 HTML5 Security Testing at Spotify
-
Upload
techwellpresentations -
Category
Technology
-
view
154 -
download
0
description
Transcript of T23 HTML5 Security Testing at Spotify
T23 Security Testing
5/2/2013 3:00:00 PM
HTML5 Security Testing at Spotify
Presented by:
Alexander Andelkovic
Spotify
Brought to you by:
340 Corporate Way, Suite 300, Orange Park, FL 32073
888-268-8770 ∙ 904-278-0524 ∙ [email protected] ∙ www.sqe.com
Alexander Andelkovic
In the software industry for more than fifteen years, Alexander Andelkovic currently works for the Platform Partners team at Spotify in Stockholm as a team lead, responsible for the approval process for Spotify Apps. An exploratory tester, Alexander is a driving force for implementing agile model-based testing techniques and an ambassador for session-based test management (SBTM). Previously Alexander worked as a test leader in the mobile Internet business unit at Microsoft and as an exploratory tester in the med-tech industry with focus on implementing SBTM. He has been a speaker at international conferences including STAREAST, STARWEST, and iqnite Nordic.
4/16/2013
1
April 16, 2013
HTML5 Security Testing at Spotify
Alexander Andelkovic, Spotify
AgendaIntroduction
Background
Approval process
Security testing
Summary
Questions
4/16/2013
2
Introduction – About me
- Lives in Stockholm, Sweden
- 15+ years testing experience
- Have a background in telecom and Med-Tech
- Test lead at Spotify
- Passionate about advanced test techniques
Background – Spotify Apps
- Apps(HTML5 & JS) integrated into Spotify music client(C++)
- Launched 30 Nov 2011 (at launch13 apps, today over 100
apps)
- Different categories of apps (discovery, concert, review,
social, lyrics)
- Manual QA process
4/16/2013
3
Background – QA Challenges- Spotify App = mini application
- Release high quality in no time
- Testing needs to scale over time(partners need to test)
- Stable test environment(new API, backend)
- Dependant on external development(partners)
Approval process - Introduction
- Steps that help partners ”release” high quality apps
- Approval steps: Concept > Development > Release > Update
- Average app development time 3 months
- Approval team around 10-15 persons
4/16/2013
4
Approval process - TeamApproval process - Team
- Product owners(prioritize tasks, final calls)
- QA(manual testers)
- Test automators(regression test)
- Designers(concept, prototype)
- Release manager(silent/big bang release)
- Product owners(prioritize tasks, final calls)
- QA(manual testers)
- Test automators(regression test)
- Designers(concept, prototype)
- Release manager(silent/big bang release)
Approval process - Partners
- One man shows
- Web developers
- App developers
- Inhouse development
4/16/2013
5
Approval process - Security
- App security tests performed by Security
Penetration Testers
- All ways of input needs to be tested
- Are HTML5 and javascript apps a security risk?
- Partner homepages
Approval process - Checklist- Approximately 50 teststeps(manifest, navigation, performance,
security etc..)
- Should be run through by partner before app submission
- Security testing performed on first/last submissions to find
vulnerabilities early/late
- Approximately 50 teststeps(manifest, navigation, performance,
security etc..)
- Should be run through by partner before app submission
- Security testing performed on first/last submissions to find
vulnerabilities early/late
4/16/2013
6
Approval process - Concept- An app shall bring ‘valuable content’ or something ‘unique’ to
the Spotify experience.
- A good concept will save development time
- Summary, Mockups, Wireframes, Screenshots, Alpha version
- How are the app going to be secured
- No development should be started until concept is approved
Approval process - Development
- App development can start after concept approved and agreement
signed
- App should be submited for approval when ”production ready”
- QA gives thorough feedback on app quality and security
- An app is approved when ”all” issues are resolved
- App development can start after concept approved and agreement
signed
- App should be submited for approval when ”production ready”
- QA gives thorough feedback on app quality and security
- An app is approved when ”all” issues are resolved
4/16/2013
7
Approval process - Release
- When an app is approved a release date and market(s) are decided
- PR involved(internal, external)
- Release manager inform partner when app is live
- Live app needs to be maintained(api updates)
- When an app is approved a release date and market(s) are decided
- PR involved(internal, external)
- Release manager inform partner when app is live
- Live app needs to be maintained(api updates)
Approval process - UpdateApproval process - Update
- Bugfixes, tweaks, small features
- Requires new App Submission
- App goes through the approval phase for Development again
- ”New” version treated as a new app concept(approval phase concept)
and needs to be security tested again
- Bugfixes, tweaks, small features
- Requires new App Submission
- App goes through the approval phase for Development again
- ”New” version treated as a new app concept(approval phase concept)
and needs to be security tested again
4/16/2013
8
Security testing – Permissions and the manifest
- The manifest is a JSON file included in every application
- The manifest declares what rights the application have (what web
addresses it may contact and how much of the api it has right to use)
- A 3rd party application may never have the private permission
- If “Required Permissions” is declared in manifest, it cannot contain
wildcard domains:
"*.soundrop.com" is OK. "*soundrop.com" is NOT OK.
UNSPECIFIED WILDCARD domains is also not allowed, e.g. "http://*.*"
Security testing – Basic html
<html>
<body>
<script>alert(0);</script>
<!-- This is a comment. Below is an example text -->
<p>Example text</p>
</body>
</html>
4/16/2013
9
Security testing – Script inclusion
- User-controlled input means security risks
- If entering "<script>alert(0);</script>" shows you a popup containing "0" the string is
parsed as HTML = bad
- Try entering HTML into any and all input fields (search-boxes etc.)
If entering "<!--this-->that" only shows you "that" means the string is parsed as HTML = bad
Partner should use html-escaping for the name and description for music stories instead of
using strip_tags() for security reasons.
Security testing – Privacy and prevention of data-leakage
- 3rd parties may never find out who the user is, except if the user
authenticates
- 3rd parties should only transmit information to its backend that
is needed for intended operation
- Performed by penetration testers
4/16/2013
10
Summary
- App security needs to be addressed during whole app lifecycle
- Challenge to ”trust” external parties
- App security is as secure as it’s weakest link
- Security test early and late
QuestionsQuestions
[email protected]@spotify.com
4/16/2013
11
April 16, 2013
Thank you!