What is Security Testing ?
Application Security testing is done to ensure that data in an application is protected, and expected functionality is sustained.
Security testing ensures that the following features of data are maintained:
1) Authentication
2) Authorization
3) Availability
4) Confidentiality
5) Integrity
6) Non-repudiation
Security protects the system from external malware and other unexpected threats that may result in malfunction or exploitation of the application. These unexpected threats could be either intentional or unplanned. Security testing detect and analyze whether the third-party requests are benign or harmful
In this tutorial, you will learn-
- What is Security Testing?
- Types of Security Testing
- How to do Security Testing
- Example Test Scenarios for Security Testing
- Methodologies/ Approach / Techniques for Security Testing
- Security Testing Roles
- Security Testing Tool
- Myths and Facts of Security Testing
What are the types of Security Testing:
There are mainly 7 types of security testing as per OSS (Open Source Security) Testing methodology. Below is the list of Security testing.
- Vulnerability Scanning: Automated Software scan the complete application. It works on the vulnerable signature to find loopholes
- Security Scanning: Security scanning process checks both applications and networks. This can be done manually or using automation tools. After the scan, threats are analyzed in detail and Provided with a fix.
- Penetration testing: This testing involves the investigation of a system to check for security vulnerabilities to an external hacking attempt.
- Risk Assessment: Risk Assessment recommends measures and controls based on the risk. The risk is classified as Low, Medium, and High.
- Security Auditing: Internal inspection of Applications and Operating systems for security errors. An audit can be done thru line by line code inspection
- Ethical hacking: Ethical hacking is to find security errors when automated software tries to hack the system. The intent is to attack the app from within the application.
- Posture Assessment: This is a combination of Security scanning, Ethical Hacking and Risk Assessments to indicate an overall security posture of an organization.
How to do Security Testing
It is recommended to involve security testing at the earlier stages of SDLC Life Cycle as at the later stages its expensive
Let’s look into the corresponding Security phases to be acquired for every phase in SDLC
The test plan for Security Testing should include the following points:
- Security Test Scenarios
- Security Test Cases
- Test Data for Security Testing
- Testing Tools for Security Testing
Approach for security testing
- Below are some of the cases of security Testing:
- Password should be in encrypted form
- Unauthorised users should not be able to login to application
- Check Cookies/Session time out Features of the application
- Browser back button should be disabled
- Users should not be able to copy/ paste sensitive data
- Users should not be able to access bookmarked web pages without login
- User should not be able to download content without login to application
- Previously visited pages should not be accessible after Logout
- Source code should not be accessible to a user on right-click of mouse
- Ensure that Error message should not contain malicious info that hacker case use to hack a web site.
Following are the various approaches for security testing of an application:
- Tiger Box: Hackers perform this type of hacking on a laptop equipped with a collection of operating systems and hacking tools.This testing helps security testers to perform vulnerabilities assessment and attacks.
- Black Box: Testers perform the testing on Network topology and Technology.
- Grey Box: Incomplete information is provided to the tester about the application, and it is a mixture of white and black box methodology.
Security Testing Roles
- Hackers – Someone who access the computer application/network without authorization
- Crackers – someone who breaks the systems to misuse data
- Ethical Hacker – break the activities on an application but with permission from the owner
- Script Kiddies or packet monkeys – Inexperienced Hackers with programming language skill
Security Testing Tool
W3af: It is a web application audit and attack framework, effective against over 200 vulnerabilities.The GUI of the tool provides expert tools that users can utilize to send an HTTP request and cluster HTTP responses. Users can enter the output into a console, a file, or send it via email.
Wireshark: Wireshark, previously known as Ethereal, is a network packet analyzer. Network engineers use it to obtain detailed information about network protocols, decryption, packet information, and more. It is an open-source tool and can work on Linux, Windows, OS X, Solaris, etc.
ZED Attack Proxy (ZAP): AWASP developed it and made it available for Windows, Unix/Linux, and Macintosh platforms. It is easy to use. It works as a scanner or to intercept a proxy to manually test a webpage. Its important features are traditional and AJAX spiders, Fuzzer, Web socket support, and a REST-based API
Conclusion:
Software testing tools are crucial in a company’s business strategy. Security testing ensures that the application protects and keeps the confidential data safe. In this, Tester work as an attacker and play with the application to find security-related defects.
Security Testing is very important to protect data by all means.
https://www.softwaretestingleaders.com/
One Reply to “Application Security Testing-Types, Tools, and Best Practices”