What is Security?
Security is set of measures to protect an application against unforeseen actions that cause it to stop functioning or being exploited. Unforeseen actions can be either intentional or unintentional.
What is Security Testing?
“Security Testing is a process intended to reveal flaws in the security mechanisms of an information system that protect data and maintain functionality as intended. Due to the logical limitations of security testing, passing security testing is not an indication that no flaws exist or that the system adequately satisfies the security requirements.” – Wikipedia
The objective is to measure the level of security of websites and attempt to uncover vulnerabilities that can potentially result in reputational damage, intellectual property loss, loss of sensitive information and loss of integrity of the systems.
Most of the times the primary objective of this test will be to uncover vulnerabilities and confirm them and it do not always exploit the vulnerability to its fullest potential as exploiting certain vulnerabilities would cause potential damage to the server.
There are four main focus areas to be considered in security testing (Especially for web sites/applications):
- Network security: This involves looking for vulnerabilities in the network infrastructure (resources and policies).
- System software security: This involves assessing weaknesses in the various software (operating system, database system, and other software) the application depends on.
- Client-side application security: This deals with ensuring that the client (browser or any such tool) cannot be manipulated.
- Server-side application security: This involves making sure that the server code and its technologies are robust enough to fend off any intrusion.
The Open Web Application Security Project (OWASP) is a great resource for software security professionals. Be sure to check out the Testing Guide: https://www.owasp.org/index.php/Category:OWASP_Testing_Project
OWASP Top 10 security threats for 2017 are:
- Broken Authentication and Session Management
- Cross-Site Scripting (XSS)
- Broken Access Control
- Security Misconfiguration
- Sensitive Data Exposure
- Insufficient Attack Protection
- Cross-Site Request Forgery (CSRF)
- Using Known Vulnerable Components
- Underprotected APIs
Types of Security Testing
There are seven main types of security testing as per Open Source Security Testing methodology manual. They are explained as follows:
- Vulnerability Scanning: This is done through automated software to scan a system against known vulnerability signatures.
- Security Scanning: It involves identifying network and system weaknesses, and later provides solutions for reducing these risks. This scanning can be performed for both Manual and Automated scanning.
- Penetration testing: This kind of testing simulates an attack from malicious hacker. This testing involves analysis of a particular system to check for potential vulnerabilities to an external hacking attempt.
- Risk Assessment: This testing involves analysis of security risks observed in the organization. Risks are classified as Low, Medium and High. This testing recommends controls and measures to reduce the risk.
- Security Auditing: This is internal inspection of Applications and Operating systems for security flaws. Audit can also be done via line by line inspection of code
- Ethical hacking: It’s hacking an Organization Software system. Unlike malicious hackers, who steal for their own gains, the intent is to expose security flaws in the system.
- Posture Assessment: This combines Security scanning, Ethical Hacking and Risk Assessments to show an overall security posture of an organization.
Here is the example of approach for security testing of web applications.
Why is it important
These are some of the most common responses we hear when asking small to medium size business owners about what they’ve done to secure their company web sites. So why is web application security testing important? Think of web application security testing as any other type of preventative maintenance in your life – your annual trip to the doctor’s office or maybe a routine car checkup. You are paying experts to find SMALL issues now before they become LARGER, more EXPENSIVE problems for you later. Web application security testing should be thought of in the same manner, as an investment, and a good one at that.
Integration of security processes with the SDLC:
It is always agreed, that cost will be more, if we postpone security testing after software implementation phase or after deployment. So, it is necessary to involve security testing in SDLC life cycle in the earlier phases.
Let’s look into the corresponding Security processes to be adopted for every phase in SDLC
|SDLC Phases||Security Processes|
|Requirements||Security analysis for requirements and check abuse/misuse cases|
|Design||Security risk analysis for designing. Development of test plan including security tests|
|Coding and Unit Testing||Static and Dynamic Testing and Security white box testing|
|Integration Testing||Black Box Testing|
|System Testing||Black Box Testing and Vulnerability scanning|
|Implementation||Penetration Testing, Vulnerability Scanning|
|Support||Impact analysis of Patches|
There is an infinite number of ways to break an application. And, security testing, by itself, is not the only (or the best) measure of how secure an application is. But, it is highly recommended that security testing is included as part of the standard software development process. After all, the world is teeming with hackers/pranksters and everyone wishes to be able to trust the system/software one produces or uses.