Security Testing Definition, Focus Areas, Example, etc, …
Security Testing is a type of software testing that intends to uncover vulnerabilities of the system and determine that its data and resources are protected from possible intruders.
There are four main focus areas to be considered in security testing (Especially for web sites/applications):
- Network security: This involves looking for vulnerabilities in the network infrastructure (resources and policies).
- System software security: This involves assessing weaknesses in the various software (operating system, database system, and other software) the application depends on.
- Client-side application security: This deals with ensuring that the client (browser or any such tool) cannot be manipulated.
- Server-side application security: This involves making sure that the server code and its technologies are robust enough to fend off any intrusion.
EXAMPLE OF A BASIC SECURITY TEST
This is an example of a very basic security test which anyone can perform on a web site/application:
- Log into the web application.
- Log out of the web application.
- Click the BACK button of the browser (Check if you are asked to log in again or if you are provided the logged-in application.)
Most types of security testing involve complex steps and out-of-the-box thinking but, sometimes, it is simple tests like the one above that help expose the most severe security risks.
The Open Web Application Security Project (OWASP) is a great resource for software security professionals. Be sure to check out the Testing Guide: https://www.owasp.org/index.php/Category:OWASP_Testing_Project
OWASP Top 10 security threats for 2013 are:
- Broken Authentication and Session Management
- Cross-Site Scripting (XSS)
- Insecure Direct Object References
- Security Misconfiguration
- Sensitive Data Exposure
- Missing Function Level Access Control
- Cross-Site Request Forgery (CSRF)
- Using Known Vulnerable Components
- Unvalidated Redirects and Forwards
There is an infinite number of ways to break an application. And, security testing, by itself, is not the only (or the best) measure of how secure an application is. But, it is highly recommended that security testing is included as part of the standard software development process. After all, the world is teeming with hackers/pranksters and everyone wishes to be able to trust the system/software one produces or uses.