Security Testing Tutorial | Software Testing Material

In this Security Testing Tutorial, we are going to learn the following

Security Testing Tutorial

What is Security Testing?

Security testing is a process to determine whether the system protects data and maintains functionality as intended.

Security testing aims to find out all possible loopholes and weaknesses of the system in the starting stage itself to avoid inconsistent system performance, unexpected breakdown, loss of information, loss of revenue, loss of customer’s trust.

It comes under Non-functional Testing.

We can do security testing using both manual and automated security testing tools and techniques. Security testing reviews the existing system to find vulnerabilities.

Most of the companies perform security testing on newly deployed or developed software, hardware, and network or information system environment. But it’s highly recommended by experts to make security testing as a part of information system audit process of an existing information system environment in detecting all possible security risks and help developers in fixing them.

Security testing aims at covering following basic security components

  1. Authentication
  2. Authorization
  3. Availability
  4. Confidentiality
  5. Integrity
  6. Non-repudiation

Why Security Testing is Important?

Security testing is important due to the increase in the number of privacy breaches that websites are facing today. In order to avoid these privacy breaches, software development organizations have to adopt security testing in their development strategy based on testing methodologies and latest industry standards.

It is important to adopt Security Process in each and every phase of SDLC.

Requirement Phase: Security analysis of all the requirements
Design Phase: Implementation of Test Plan including Security tests.
Code & Unit Testing: Security White Box Testing
Integration Testing: Black Box Testing
System Testing: Black Box Testing & Vulnerability Scanning
Implementation of System Testing: Penetration Testing & Vulnerability Scanning
Support: Impact Analysis

Top Vulnerabilities:

Security tests include testing for vulnerabilities such as

  • SQL Injection
  • Cross-Site Scripting (XSS)
  • Session Management
  • Broken Authentication
  • Cross-Site Request Forgery (CSRF)
  • Security Misconfiguration
  • Failure to Restrict URL Access
  • Secure Data Exposure
  • Insecure Direct Object Reference
  • Missing Function Level Access Control
  • Using Components with Known Vulnerabilities
  • Unvalidated Redirects and Forwards

Types of Security Testing:

There are seven main types of security testing which are presented below.

Types of Security Testing

Vulnerability Scanning:

In vulnerability scanning (aka vulnerability assessment), we just identify and report the vulnerability using vulnerability scanning tools.

It’s the first step to improve the security of a system.

A vulnerability assessment report should contain the title, the description and the severity of a vulnerability.

Security Scanning:

Security scanning is done to find weak points in the security of network and system and also provides solutions to reduce these risks.

Penetration Testing:

In Penetration testing (aka Pen test), we identify the vulnerabilities and attempt to exploit them using penetration testing tools. We repeat the same penetration tests until the system is negative to all those tests.

Pen testing can be divided into three techniques such as manual penetration testing, automated penetration testing and a combination of both manual & automated penetration testing.

Read more on Pen Testing Techniques

Risk Assessment:

Risk assessment involves reviewing and analyzing security risks that later will be prioritized as Low, Medium and High. It also recommends possible ways to prevent the risk.

Security Auditing:

Security auditing is the procedure of defining security flaws. It is an internal inspection of systems to find security flaws. In some cases, an audit is done via line by line inspection of code

Ethical Hacking:

Ethical hacking is done on a system with an intent to find and expose security issues in the system. Ethical hacking is done by a white hat hacker. White hat hacker is a security professional who uses their skills in a legitimate manner to reveal the defects of a system.

Read more: Types of Hackers

Posture Assessment:

Posture assessment is a combination of security scanning, ethical hacking, and risk assessment to present the security posture of a system or organization.

Security Testing Tools:

To find the flaws and vulnerabilities in a web application, there are many free, paid, and open source security testing tools available in the market. We know that the advantage of open source tools are we can easily customize it to match our requirements. We are here to showcase some of the top __ open source security testing tools.

We use security testing tools for checking how secure a website or web application is.

Open Source Security Testing Tools:

Some of the open source security testing tools are Zed Attack Proxy, Wfuzz, Wapiti etc.,

Commercial Security Testing Tools:

Some of the commercial security testing tools are GrammaTech, Appscan, Veracode etc.,

Conclusion:

We know how important is security testing in current days. It aims to find out all possible loopholes and weaknesses of the system. Testers play a role of an attacker to find out security related bugs in the system.

If you have any queries, please comment below.

Related posts:

Security Testing Tutorial

Get our latest blog posts delivered to your inbox

Subscribe and get popular blog posts about software testing industry.

Rajkumar

Leave a Comment

Share via
Copy link
Powered by Social Snap