A complete overview of security testing
What is the Security testing?
Security testing assesses a system’s vulnerability to threats directly linked to a company’s security policies.
Security testing of any system focuses on finding all possible system breaches and weaknesses, which can result in loss of information or reputation of the organization.
Requirement of Security Testing
Failures in the security of an organization’s information systems can lead to problems like:
- Loss of image and reputation of the company
- Drop in the confidence of the products offered
- Reduced profits
- Losses are often millionaires
Due to the lack of proper security testing, many companies have faced a huge loss.
So, here are some examples of data leakage in recent years that ended up bringing loss to these companies and impacting their users.
Five Russian hackers and one Ukrainian overran the US stock market. The gang embezzled more than $160 million from credit and debit cards from almost 800,000 separate accounts.
The attack, that was carried out by hacking servers used by Nasdaq, hit banks, store chains, and payment companies. Also the hackers’ action illustrates a bit of the articulation on internet security, since the attack lasted a few years — between 2005 and 2012!
A company in 2013 was hacked and the data of more than 38 million users were leaked. Among them were logins, passwords, and even credit cards in some cases. Fortunately, that company had an encrypted information.
Sony – PlayStation
In 2011, the online network was out of service for more than 40 days after an attack on PS Network servers affecting almost 77 million users.
Some speculations were made that even information such as logins, passwords and even credit card numbers were exposed.
To apologize to the players, Sony presented them with movies, games, and other items —but apparently couldn’t calm their spirits at that time.
What is the purpose of security testing?
Following are the reasons why security testing is very important for an organisation:
- It identifies threats in the system;
- Measures possible system vulnerabilities;
- Help in detecting all possible security risks in the system;
- Helps developers fix security issues by coding.
How do security tests fit into the organization?
The objectives of the security test are based on security risks. Safety risk assessment helps in identifying these risks. They usually calculated based on:
- Adverse impacts that would occur if the circumstance or event occurs;
- Probability of occurrence.
These factors help in identifying which areas are really affected and what is the impact of each risk.
For testers, evaluation is very important because it helps in the planning of test cases and prioritizing them. So, the risk assessment ends up strengthening the alignment of the tests with the company’s safety objectives.
It is important to keep in mind that these assessments must be carried out constantly because security risks continually change within an organization as new threats arise daily.
Examples of Basic Safety Tests
- Logging in to an application;
- Logging out of an application;
- Select the back button in the browser
Types of Safety Tests
Following are the types of Safety tests that companies need to perform:
- Vulnerability Scanning
- Security Scanner
- Penetration testing
- Risk Assessment
- Security Auditing
- Posture testing
- Ethical hacking
Security Testing Mechanisms
Software testing mechanisms are very important. Therefore, proper testing must be done to see whether the functionality is properly implemented or not. Below are the security testing mechanisms:
- Authentication and authorization
An organization’s sensitive assets have to be protected and made accessible to only authorized people.
Encryption is a process of encoding data or plain text into cyclic data or encrypted text, where only authorized people have the right to access using a decryption mechanism.
- Firewalls and network zones
A firewall is a component or a set of components that restricts access to a protected network and the Internet or among other sets of networks.
- Intrusion detection
An Intrusion Detection System (IDS) is a system (standalone device or application) that monitors activities at different levels (from network to application, 7 layers of the OSI model) to detect security policy violations.
- Malware scanning
It is an anti-malware application and a software that is used to analyze, detect and remove malicious codes from different sources with different detection targets.
- Data masking
Data masking is a mechanism for making data and source code incomprehensible to a human being.
Humans are often the weakest link in the overall safety framework. Therefore, consistent and ongoing training is required to remind them of the importance of the established security policies and to emphasize why policies are needed.
Major attacks on applications
- Cross-Site Scripting (XSS)
- SQL Injection (SQLi)
- Path Traversal
- Local File Inclusion (LFI)
- Distributed Denial of Service (DDoS)
It is noteworthy that security testing does not guarantee to prevent all types of system attacks, but it works to identify risks and assess the quality of existing defences.
Like the entire software testing process, it is important to define the security needs and the requirements expressed in modelling and implemented in code.
Security testing is a way to measure the security of an application and it is very important in software engineering to protect data by all means.