Basics of Security Testing
Basics of Security Testing
Software Testing is process of analysing a software item to detect the differences between existing and required conditions (i.e., defects) and to evaluate the features of the software item.
Any product’s success is gauged by its quality and customer reliability on that product. To deliver high-quality products or software application proper testing is required. This enhances the level of support or facilities given to the customers. Moreover, a well-tested product incurs lesser maintenance cost and so the results delivered are more accurate, consistent and reliable. To design any product or software a lot of expenses are incurred so it’s critical for an application or product to give positive results to avoid any unwanted or sudden expenses. To consolidate your position in the market the product performance should be good and durable. This kind of certainty can only be achieved by proper testing methods in place.
Importance of security testing
Security testing has a distinct relationship with software quality. Just because software meets quality requirements related to functionality and performance, it does not necessary mean that the software is secure. Security testing is a process to determine that an information system protects data and maintains functionality as intended. Software testing has focused on making sure systems satisfy requirements. Such functional requirements and specifications are expected to, but may not necessarily, accurately depict the functionality actually wanted by prospective users, particularly those aspects users may not be aware of or may not have been asked to consider.
Software security testing services helps in identify implementation errors that were not discovered during code reviews, unit tests, or security white box tests, discover security issues resulting from boundary conditions not identified during the design and implementation phases, uncover software security issues resulting from incorrect product builds, or the interaction with the underlying environment and verify that software security components and security-specific sub-systems are operating properly. Security is always relative to the information and services being protected, the skills and resources of adversaries, and the costs of potential assurance remedies; security is an exercise in risk management. Risk analysis, especially at the design level, can help us identify potential security problems and their impact. Once ranked and identified, software risks can then help guide software security testing.
Security Breaches Examples
- Insecure storage or transmission of PII and other sensitive information
Examples:
PII, protected student records, or financial data being emailed in plain text, or sent in unprotected attachments. This puts data at risk should it be intercepted while in transit.
Saving files containing PII or protected student data in a web folder that is publicly accessible online.
Files containing SSNs generated by a web form stored in the same publicly-accessible directory as the web form. -
Password hacked or revealed.: Use good, cryptic passwords that are difficult to guess, and keep them secure,Never share or reveal your passwords, even to people or organizations you trust,Use different passwords for work and non-work accounts,Have a unique password for each account.,Change initial and temporary passwords, and password resets, as soon as possible whenever possible. These tend to be less secure
-
Computer infected with a virus or other malware: Install anti-malware software and make sure it is always up-to-date,Don't click on unknown or unexpected links or attachments. These can infect your computer,Don’t open files sent via chat/IM or P2P software on a machine that contains sensitive data – these files can bypass anti-virus screening.
-
Application vulnerabilities and mis-configuration:A hacker attacked a restricted database on a computer in UC Berkeley’s health services centre via a public web site on the same server. The database contained the names, Social Security numbers, health insurance information, immunization records, and patient physician information for more than 160,000 UC Berkeley students and alumni as well as former Mills College students,A UCLA data security breach affecting approx. 28,600 people (initially thought to have affected approx. 800,000 people) was due to a previously-undetected software flaw in one of its applications.
Security Testing tools
- Netsparker
Netsparker is a dead accurate automated scanner that will identify vulnerabilities such as SQL Injection and Cross-site Scripting in web applications and web APIs. Netsparker uniquely verifies the identified vulnerabilities proving they are real and not false positives - Acunetix
Acunetix is a fully automated web vulnerability scanner that detects and reports on over 4500 web application vulnerabilities including all variants of SQL Injection and XSS.It complements the role of a penetration tester by automating tasks that can take hours to test manually, delivering accurate results with no false positives at top speed. Acunetix fully supports HTML5, JavaScript and Single-page applications as well as CMS systems. It includes advanced manual tools for penetration testers and integrates with popular Issue Trackers and WAFs.
- Arachni
Apt for both penetration testers and admins, Arachni is designed to identify security issues within a web application. The open-source security testing tool is capable of uncovering a few vulnerabilities, including Invalidated redirect,Local and remote file inclusion,SQL injection,XSS injection - Nogotofail
A network traffic security testing tool from Google, Nogotofail is a lightweight application that is able to detect TLS/SSL vulnerabilities and misconfigurations. Vulnerabilities exposed by Nogotofail are:
- MiTM attacks
- SSL certificate verification issues
- SSL injection
- TLS injection