Basics of Security Testing with SDLC Integration
Cyberpunks break into computer systems to steal, change or destroy information as a form of cyber-terrorism. These persons are sneak enough to take advantage of hidden vulnerabilities of the web application. Thus, it requires security testing.
What is Security Testing?
Security testing is a process that is performed with the purpose to encounter and expose the flaws in the security mechanism of web/software application. And, while regression to ensure that application is following safety sets to protect itself from loopholes, data breaching, unforeseen actions that can exploit web application or software.
The key objective of security testing is to check the vulnerability of the system. And, to verify whether data and resources are secure from potential interlopers.
SECURITY TESTING SHOULD COVER THE FOLLOWING KEY ATTRIBUTES:
Establishes the identity of the user. Authentication is a process of validating the person before accessing the system. It grants the user access to the network only if authentication verification is passed. e.g. Q/A, OTP, biometric, Token base RSA secure ID
User should receive a service or perform an action for which he has permission. After Authentication approval the Authorization comes and limit the user as per the permission set. It is usually implemented on Access control list, user role based, user group based and define the permissions & restrictions.
Information should be accessible to only those with authorized access. It is to verifying that information and resources are protected from the unauthorized users. The secrecy of information should be maintained at all stages of processing, storage and information display.
Information and communication services should be ready any time, as needed. The context of availability is to verify the system is available for valid users whenever required to use except the downtime, security patches or maintenance. For availability, one backup site runs parallel in case of failover with main site. If primary site goes down, then all requests are redirected to backup site.
A measure intended to allow the receiver to determine that the information which it is providing is correct. Integrity is a check to ensure that information received is not being tempered and altered meanwhile transit. And, verify that showed information to end-user is valid as per the user groups, privileges & restrictions.
To validate both sender and receiver as genuine. Monitoring and Tracking who is accessing the systems and which requests were allowed and denied with other details i.e. Timestamp and IP address with source of request. In other words, an acknowledge confirmation for successfully sent and receive of requested services or information received as Digital confirmation e.g. Digital Certificates.
Resilience is to validate the system is resistance enough to handle the threats, it can be implemented using encryption, use OTP (One Time Password), two layer authentication or RSA key token.
Why Security Testing
• Leads to loss of customer trust
• Disruption to online business which impacts on revenue generation
• Uncertainty of Website downtime, Time loss and expenditures in recovering from damage (reinstalling services, restoring backups, etc.)
• CAPEX for securing web applications
• Relevant legal deductions or charges for having loose security standards
TYPES OF SECURITY TESTING:
There are various types of security testing although as per Open Source Security Testing Methodology Manual below are seven:
This testing is a kind of inspection for potential points of exploits over application, system or network. It is performed through automated software to examine a system against known vulnerability signatures.
It includes identifying weakness for network and system, and later provides remediation techniques or solutions for reducing risk and impact area. Performed for both Manual and Automated scanning.
It simulates an authorized attempt to evaluate the security of infrastructure by safe attempts to exploit vulnerabilities of misconfigurations, services, OS and application flaws. This testing involves analysis/gathering information about target system, entry points, Break in / Enter in and security weakness.
It involves assessing the potential hazards observed in the organization or project activity. Risks can be Low, Medium and High. Level defined as per risk involved with the probability of vulnerability occurrences and type of data loss. It recommends benchmark and controls to reduce the chance.
It is a regular technical inspection of Infrastructure and Applications to measure how well they are defined against security flaws. An audit includes scans, physical access, OS access controls list, line by line inspection of the code, etc.
It is performed by company or individual to assist in identifying potential threats over network or system. The user attempts to bypass security method and try to discover the vulnerability with the aim to expose security flaws in the system and exploitation by malicious hackers.
It combines Ethical Hacking, Security Scanning, and Risk Assessments to present an overall security posture of an organization. It helps companies to increase Security posture by validating summary of included assessments. It shows a high level structure of risk, vulnerability, weakness, and info leaks and incorporates best practices/compliance to handle it.
Integration of security processes with the SDLC
|SDLC Phases||Security Processes|
|Requirements||Security analysis to check abuse/misuse cases and requirement gathering in order to identify compliance and regulatory risks involved with provision of alternatives.|
|Design||High level risk assessment on Functional specification. Need to document those functional assumptions and security areas of application. Develop test plan including security tests. Security functional requirement and sec design considerations.|
|Coding and Unit Testing||Develop Security controls and secure code, Covering Session management, Authentication and Error handling. Static and Dynamic tools Testing and Security white box testing.|
|Integration Testing||Black Box Testing, Security & regress testing, Secure coding, Automated test, threat analysis.|
|System Testing||Black Box Testing and Vulnerability scanning|
|Implementation||Penetration Testing, Vulnerability Scanning, Secure migration from dev to production|
|Support||Impact analysis of Patches|