What is security testing?

Security testing is a variant of different types of testing methods and approaches where testing is carried out just to ensure that the product, application or the system under test doesn’t have security related loopholes which might result into loss of valuable information in the hands of those unauthorized. This would cause a serious threat to the organizations. It can also be referred to as Penetration testing at times, The objective or the main purpose of penetration testing is to be able to dig out system level vulnerabilities or loopholes in networks, applications, and operating platforms that could potentially be barged in by unauthorized identities causing serious amount of destruction. Due to the increasing pace of change in most enterprise IT environments, as well as the rising complexity of most infrastructure, the chances of configuration issues and less-than-adequate security controls being implemented increases significantly. Performing this type of testing can be a useful way to learn and understand with a higher degree of certainty that flaws really do exist. However, in order to effectively find these issues before attackers, the testing regimen you put together needs to be focused on consistent, repeatable testing.

Why security testing?

To ensure that there is no unauthorized, unwanted intrusion in your product, application or the system. Many times it does happen that people who shouldn’t have access to the system, product or application try to barge in which can cause a serious threat to the system, product or application.

Frequency of performing security tests

Security tests must be performed at regular intervals. If you are following an agile –scrum methodology then try doing that at the closure of each sprint or completion of the user stories in that sprint. Doing/performing security tests at regular intervals would help you understand the vulnerabilities at an earlier stage than waiting so time for a fallback if any would reduce if you were to do at a later stage; it’s advisable to conduct this activity/exercise at regular intervals so that if there are any hitches /loopholes in the system you have time to correct those.

What could be the contents of security testing test plan?

A security testing test plan could contain following sections:

  • In scope
  • Out of scope
  • Tools used
  • Areas under a system/application/product put under test
  • Resources
  • Timelines
  • Test suites/test scenarios at high level
  • Environments and Platform targeted for the activity
  • Entry and Exit criteria etc.

Aspects to be considered while doing security testing

  • Vulnerability: It’s a drawback or loophole in the system, product or application. The reason for this could be defects or bugs in the system, product or application, an injection (SQL/ script code) or the presence of viruses.
  • URL manipulation: Some web applications have additional information traffic between the client and the server in the URL. Manipulating some information in the URL may sometimes lead to unexpected behavior by the server.
  • SQL injection: It’s the method of injecting SQL statements through the web application user interface into some query that is then executed by the server.
  • Cross site scripting: It is also known as XSS. In this method the user can insert HTML/ client-side script in the user interface of a web application and this insertion is visible to other users, it is called XSS.
  • Spoofing: The development of hoax look-alike websites or emails is called spoofing.

What could be the possible best practices?

  • Have passwords or sensitive information in encrypted format over HTTPs layer.
  • Ensure that when the user clicks on Back and forward buttons of the browser, does not break secure login.
  • Unauthorized user is unable to have access to your pages.

Possible tools that could help do perform security tests

  • Nmap (Network Mapper) is an open source scanner for network discovery and security auditing. Nmap uses raw IP packets to determine available hosts on the network, what services (app name, version) those hosts are offering, what operating systems and OS versions they are running on, what type of packet filters/firewalls are in use, and other such characteristics.
  • The Social-Engineer Toolkit (SET) is an open source tool and the concept that it is based on is that attacks are targeted at the human element than on the system element. It enables you to send emails, java applets etc. containing the attack code.
  • Vega is a GUI-based, multi-platform and open source web security tool which is used to find instances of SQL injection, cross-site scripting (XSS), and other vulnerabilities in web applications. Vega also includes an intercepting proxy for interactive web application debugging. Vega attack modules are written in JavaScript; users can easily modify them or write their own.
  • Wapiti is an open source and web-based tool that scans the web pages of the deployed web applications, looking for scripts and forms where it can inject data. It is built with Python and can detect File handling errors, Database, XSS, LDAP and CRLF injections, Command execution detection.

[Tweet “Security #Testing – Considerations, Best Practices & Tools ~ via @CalsoftInc”]