Basics of Security Testing with SDLC Integration

Basics of Security Testing with SDLC Integration

Cyberpunks break into computer systems to steal, change or destroy information as a form of cyber-terrorism. These persons are sneak enough to take advantage of hidden vulnerabilities of the web application. Thus, it requires security testing.

What is Security Testing?
Security testing is a process that is performed with the purpose to encounter and expose the flaws in the security mechanism of web/software application. And, while regression to ensure that application is following safety sets to protect itself from loopholes, data breaching, unforeseen actions that can exploit web application or software.

The key objective of security testing is to check the vulnerability of the system. And, to verify whether data and resources are secure from potential interlopers.

SECURITY TESTING SHOULD COVER THE FOLLOWING KEY ATTRIBUTES:

Authentication

Establishes the identity of the user. Authentication is a process of validating the person before accessing the system. It grants the user access to the network only if authentication verification is passed. e.g. Q/A, OTP, biometric, Token base RSA secure ID

 Authorization

User should receive a service or perform an action for which he has permission. After Authentication approval the Authorization comes and limit the user as per the permission set. It is usually implemented on Access control list, user role based, user group based and define the permissions & restrictions.

Confidentiality

Information should be accessible to only those with authorized access. It is to verifying that information and resources are protected from the unauthorized users. The secrecy of information should be maintained at all stages of processing, storage and information display.

Availability

Information and communication services should be ready any time, as needed. The context of availability is to verify the system is available for valid users whenever required to use except the downtime, security patches or maintenance. For availability, one backup site runs parallel in case of failover with main site. If primary site goes down, then all requests are redirected to backup site.

Integrity

A measure intended to allow the receiver to determine that the information which it is providing is correct. Integrity is a check to ensure that information received is not being tempered and altered meanwhile transit. And, verify that showed information to end-user is valid as per the user groups, privileges & restrictions.

Non-repudiation

To validate both sender and receiver as genuine. Monitoring and Tracking who is accessing the systems and which requests were allowed and denied with other details i.e. Timestamp and IP address with source of request. In other words, an acknowledge confirmation for successfully sent and receive of requested services or information received as Digital confirmation e.g. Digital Certificates.

Resilience

Resilience is to validate the system is resistance enough to handle the threats, it can be implemented using encryption, use OTP (One Time Password), two layer authentication or RSA key token.

Why Security Testing
•    Leads to loss of customer trust
•    Disruption to online business which impacts on revenue generation
•    Uncertainty of Website downtime, Time loss and expenditures in recovering from damage (reinstalling services, restoring backups, etc.)
•    CAPEX for securing web applications
•    Relevant legal deductions or charges for having loose security standards

TYPES OF SECURITY TESTING:

There are various types of security testing although as per Open Source Security Testing Methodology Manual below are seven:

Vulnerability Scanning

This testing is a kind of inspection for potential points of exploits over application, system or network. It is performed through automated software to examine a system against known vulnerability signatures.

Security Scanning

It includes identifying weakness for network and system, and later provides remediation techniques or solutions for reducing risk and impact area. Performed for both Manual and Automated scanning.

Penetration Testing

It simulates an authorized attempt to evaluate the security of infrastructure by safe attempts to exploit vulnerabilities of misconfigurations, services, OS and application flaws. This testing involves analysis/gathering information about target system, entry points, Break in / Enter in and security weakness.

Risk Assessment

It involves assessing the potential hazards observed in the organization or project activity. Risks can be Low, Medium and High. Level defined as per risk involved with the probability of vulnerability occurrences and type of data loss. It recommends benchmark and controls to reduce the chance.

Security Auditing

It is a regular technical inspection of Infrastructure and Applications to measure how well they are defined against security flaws. An audit includes scans, physical access, OS access controls list, line by line inspection of the code, etc.

Ethical Hacking

It is performed by company or individual to assist in identifying potential threats over network or system. The user attempts to bypass security method and try to discover the vulnerability with the aim to expose security flaws in the system and exploitation by malicious hackers.

Posture Assessment

It combines Ethical Hacking, Security Scanning, and Risk Assessments to present an overall security posture of an organization. It helps companies to increase Security posture by validating summary of included assessments. It shows a high level structure of risk, vulnerability, weakness, and info leaks and incorporates best practices/compliance to handle it.

Integration of security processes with the SDLC

SDLC Phases Security Processes
Requirements Security analysis to check abuse/misuse cases and requirement gathering in order to identify compliance and regulatory risks involved with provision of alternatives.
Design High level risk assessment on Functional specification. Need to document those functional assumptions and security areas of application. Develop test plan including security tests. Security functional requirement and sec design considerations.
Coding and Unit Testing Develop Security controls and secure code, Covering Session management, Authentication and Error handling. Static and Dynamic tools Testing and Security white box testing.
Integration Testing Black Box Testing, Security & regress testing, Secure coding, Automated test, threat analysis.
System Testing Black Box Testing and Vulnerability scanning
Implementation Penetration Testing, Vulnerability Scanning, Secure migration from dev to production
Support Impact analysis of Patches

Go deeper?

Let us make technology work for you




Modern IntranetProject PortfolioCloud AdoptionAdaptive BITech Audience Marketing
Please leave this field empty.

Posted by Gautam

Gautam is currently associated with Advaiya as a Test Engineer. He has six years of experience in IT field with focus on quality assurance of Web based, Client-Server application etc.

Related Posts:

No Comments

Leave a Reply

Your email address will not be published.

*
*

three + 12 =