Security Testing: Testing the authentication of an application to check how well the application is secured from unauthorized users is called security testing. Security is an important requirement for an organization as it needs to secure the information in order to protect the data from financial and other impacts i.e. ensuring that all the personal data and info is secured from any potential hackers.
Security testing is used to find the security flaws in the application, ensuring that it is difficult to hack the application and making sure that the app is well secured from external intruders are hacking the application.
Principles of Security Testing:
Confidentiality: To check the unauthorized users are not able to access the information and to make sure that the information is protected. The confidentiality information is carried out at all the stages.
Integrity: To check that the information received is not done with any alteration during the transit and making sure that the correct information is presented to the user as per the user restrictions.
Authentication: It’s a process of identifying the users of the system before accessing the system as it allows the user to access the system information only if authentication is done. Authentication can be done in different ways apart from user name and password like asking secret questions, OTP thru SMS, etc.
Authorization: Once the authentication pass, the authorization comes into the picture to limit the user as per the permission set for the user.
Availability: The availability of the system is to make sure that the system is available for authorized users only. In this, there are two types of databases, first being primary database and other is secondary database.
Non-repudiation: Tracking who is accessing the system and which of the requests were done along with additional details like IP addresses etc.
Security Testing Areas:
Network Areas: Security test is being conducted on the policies and resources.
Client-Side Application Security: This details ensuring that the client cannot handled.
Server-Side Application Security: This makes sure that the server code and its technology code is secured.
Application Software Security: Security testing will be conducting on operating system, database system and other software that the application depends on.
Why we do security testing:
- To avoid loss of customer trust
- For security web application from hackers
- The attackers can cause destruction and corruption to the data which may affect the popularity and productivity of your product.
- To avoid website downtime, time loss and reduce the cost of recovering from damage.
- Reduces the revenue
- High cost in fixing the application for the future attacks
- Legal issues and lawsuits for breach of trust
Types of security testing:
- Vulnerability testing
- Penetration testing
- Ethical hacking
- Risk assessment
- Security scanning
- Security review
Examples of security testing:
- Strong password policy is taken care
- Password is stored in encrypted form
- Login/logout functionality
- For financial and banking application, the browser back button should not work
- In banking applications, credit card/debit card, password, etc. should flow in encrypted format
Techniques of security testing:
- SQL injection
- Cross site scripting (XSS)
- Session expiry
- URL manipulation
- Cross site request for forgery (CSRF)
- Cookies based testing
Who will perform this test?
- Security testers
- Security specialists
- Network specialists