Security Testing

Security testing is one of the most important types of software testing that intended to find the vulnerabilities or weakness of the software application. The main objective of security testing is to find the vulnerabilities of system & determine that its data and resources are protected from possible intruder. Security testing allows us to identify the confidential data stays confidential or not.

FOCUS AREAS:

There are four main focus areas to be considered in security testing (Especially for web sites/applications):

Network security: This involves looking for vulnerabilities in the network infrastructure (resources and policies).

System software security: This involves assessing weaknesses in the various software (operating system, database system, and other software) the application depends on.

Client-side application security: This deals with ensuring that the client (browser or any such tool) cannot be manipulated.

Server-side application security: This involves making sure that the server code and its technologies are robust enough to fend off any intrusion.

EXAMPLE OF A BASIC SECURITY TEST

This is an example of a very basic security test which anyone can perform on a web site/application:

  • Log into the web application.
  • Log out of the web application.
  • Click the BACK button of the browser (Check if you are asked to log in again or if you are provided the logged-in application.)

Most types of security testing involve complex steps and out-of-the-box thinking but, sometimes, it is simple tests like the one above that help expose the most severe security risks.

OWASP

The Open Web Application Security Project (OWASP) is a great resource for software security professionals. Be sure to check out the Testing Guide https://www.owasp.org/index.php/Category:OWASP_Testing_Project

OWASP Top 10 security threats for 2017 are:

A1-Injection
A2-Broken Authentication and Session Management
A3-Cross-Site Scripting (XSS)
A4-Broken Access Control
A5-Security Misconfiguration
A6-Sensitive Data Exposure
A7-Insufficient Attack Protection
A8-Cross-Site Request Forgery (CSRF)
A9-Using Components with Known Vulnerabilities
A10-Underprotected APIs


There is an infinite number of ways to break an application. And, security testing, by itself, is not the only (or the best) measure of how secure an application is. But, it is highly recommended that security testing is included as part of the standard software development process. After all, the world is teeming with hackers/pranksters and everyone wishes to be able to trust the system/software one produces or uses.

It is a process to determine that an information system protects data and maintains functionality as intended.
The security testing is performed to check whether there is any information leakage in the sense by encrypting the application or using wide range of software’s and hardware’s and firewall etc.

Software security is about making software behave in the presence of a malicious attack. The six basic security concepts that need to be covered by security testing are: confidentiality, integrity, authentication, availability, authorization and non-repudiation.

Share This:
Facebooktwittergoogle_plusredditpinterestlinkedintumblr