SECURITY TESTING is a type of software testing that intends to uncover vulnerabilities of the system and determine that its data and resources are protected from possible intruders.
There are four main focus areas to be considered in security testing (Especially for web sites/applications):
- Network security: This involves looking for vulnerabilities in the network infrastructure (resources and policies).
- System software security: This involves assessing weaknesses in the various software (operating system, database system, and other software) the application depends on.
- Client-side application security: This deals with ensuring that the client (browser or any such tool) cannot be manipulated.
- Server-side application security: This involves making sure that the server code and its technologies are robust enough to fend off any intrusion.
This is an example of a very basic security test which anyone can perform on a web site/application:
- Log into the web application.
- Log out of the web application.
- Click the BACK button of the browser (Check if you are asked to log in again or if you are provided the logged-in application.)
Most types of security testing involve complex steps and out-of-the-box thinking but, sometimes, it is simple tests like the one above that help expose the most severe security risks.
The Open Web Application Security Project (OWASP) is a great resource for software security professionals. Be sure to check out the Testing Guide: https://www.owasp.org/index.php/Category:OWASP_Testing_Project
There is an infinite number of ways to break an application. And, security testing, by itself, is not the only (or the best) measure of how secure an application is. But, it is highly recommended that security testing is included as part of the standard software development process. After all, the world is teeming with hackers/pranksters and everyone wishes to be able to trust the system/software one produces or uses.