Security Testing
Security Testing
Software testing is concerned with evaluation of software products and related artifacts to determine that they satisfy specified requirements, to demonstrate that they are fit for purpose and to detect defects.
Security testing verifies and validates software system requirements related to security properties like confidentiality, integrity, availability, authentication, authorization and non-repudiation. Sometimes security properties come as classical functional requirements e.g. “user accounts are disabled after three unsuccessful login attempts” which approximates one part of an authorization property and is aligned with the software quality standard ISO/IEC 9126 [2] defining security as functional quality characteristic. However, it seems desirable that security testing directly targets the above security properties, as opposed to taking the detour of functional tests of security mechanisms. This view is supported by the ISO/IEC 25010 [3] standard that revises ISO/IEC 9126 and introduces Security as a new quality characteristic which is not included in the characteristic functionality any more.
Types of Security Testing
- Vulnerability Scanning: Vulnerability scanning is performed with the help of automated software to scan a system to detect known vulnerability patterns.
- Security Scanning: Security scanning is the identification of network and system weaknesses. Later on, it provides solutions for reducing these defects or risks. Security scanning can be carried out in both manual and automated ways.
- Penetration Testing: Penetration testing is the simulation of the attack from a malicious hacker. It includes analysis of a particular system to examine for potential vulnerabilities from a malicious hacker who attempts to hack the system.
- Risk Assessment: In risk assessment testing security risks observed in the organization are analyzed. Risks are classified into three categories i.e. low, medium and high. This testing endorses controls and measures to minimize the risk.
- Security Auditing: Security auditing is an internal inspection of applications and operating systems for security defects. An audit can also be carried out via line-by-line checking of code.
- Ethical Hacking: Ethical hacking is different from malicious hacking. The purpose of ethical hacking is to expose security flaws in the organization’s system.
- Posture Assessment: It combines security scanning, ethical hacking and risk assessments to provide an overall security posture of an application.
- Application Security Testing: Application security testing is a type of testing that focuses on identifying vulnerabilities in the application itself. It includes testing the application’s code, configuration and dependencies to identify any potential vulnerabilities.
- Network Security Testing: Network security testing is a type of testing that focuses on identifying vulnerabilities in the network infrastructure. It includes testing firewalls, routers and other network devices to identify potential vulnerabilities.
Principles of Security Testing
Below are the six basic principles of security testing:
- Confidentiality
- Integrity
- Authentication
- Authorization
- Availability
- Non-repudiation
Major Focus Areas in Security Testing
- Network Security System Software Security
- Network and Infrastructure Security
- Authentication and Authorization
- Server-side Application Security
- Client-side Application Security
- Database Security
- System Software Security