Software Testing
Boundary Value Analysis and Equivalence Partitioning Testing
Practically, due to time and budget considerations, it is not possible to perform exhausting...
SECURITY TESTING is a type of Software Testing that uncovers vulnerabilities, threats, risks in a software application and prevents malicious attacks from intruders. The purpose of Security Tests is to identify all possible loopholes and weaknesses of the software system which might result in a loss of information, revenue, repute at the hands of the employees or outsiders of the Organization.
The main goal of Security Testing is to identify the threats in the system and measure its potential vulnerabilities, so the threats can be encountered and the system does not stop functioning or can not be exploited. It also helps in detecting all possible security risks in the system and helps developers to fix the problems through coding.
In this tutorial, you will learn-
There are seven main types of security testing as per Open Source Security Testing methodology manual. They are explained as follows:
It is always agreed, that cost will be more if we postpone security testing after software implementation phase or after deployment. So, it is necessary to involve security testing in the SDLC life cycle in the earlier phases.
Let's look into the corresponding Security processes to be adopted for every phase in SDLC
SDLC Phases | Security Processes |
---|---|
Requirements | Security analysis for requirements and check abuse/misuse cases |
Design | Security risks analysis for designing. Development of Test Plan including security tests |
Coding and Unit Testing | Static and Dynamic Testing and Security White Box Testing |
Integration Testing | Black Box Testing |
System Testing | Black Box Testing and Vulnerability scanning |
Implementation | Penetration Testing, Vulnerability Scanning |
Support | Impact analysis of Patches |
The test plan should include
Sample Test scenarios to give you a glimpse of security test cases -
In security testing, different methodologies are followed, and they are as follows:
The Open Web Application Security Project (OWASP) is a worldwide non-profit organization focused on improving the security of software. The project has multiple tools to pen test various software environments and protocols. Flagship tools of the project include
Wireshark is a network analysis tool previously known as Ethereal. It captures packet in real time and display them in human readable format. Basically, it is a network packet analyzer- which provides the minute details about your network protocols, decryption, packet information, etc. It is an open source and can be used on Linux, Windows, OS X, Solaris, NetBSD, FreeBSD and many other systems. The information that is retrieved via this tool can be viewed through a GUI or the TTY mode TShark Utility.
w3af is a web application attack and audit framework. It has three types of plugins; discovery, audit and attack that communicate with each other for any vulnerabilities in site, for example a discovery plugin in w3af looks for different url's to test for vulnerabilities and forward it to the audit plugin which then uses these URL's to search for vulnerabilities.
Let's talk about an interesting topic on Myths and facts of security testing:
Myth #1 We don't need a security policy as we have a small business
Fact: Everyone and every company need a security policy
Myth #2 There is no return on investment in security testing
Fact: Security Testing can point out areas for improvement that can improve efficiency and reduce downtime, enabling maximum throughput.
Myth #3: Only way to secure is to unplug it.
Fact: The only and the best way to secure an organization is to find "Perfect Security". Perfect security can be achieved by performing a posture assessment and compare with business, legal and industry justifications.
Myth #4: The Internet isn't safe. I will purchase software or hardware to safeguard the system and save the business.
Fact: One of the biggest problems is to purchase software and hardware for security. Instead, the organization should understand security first and then apply it.
Conclusion:
Security testing is the most important testing for an application and checks whether confidential data stays confidential. In this type of testing, tester plays a role of the attacker and play around the system to find security-related bugs. Security Testing is very important in Software Engineering to protect data by all means.
Practically, due to time and budget considerations, it is not possible to perform exhausting...
What is Concurrency Testing? Concurrency Testing is defined as a testing technique to detect the...
What is a Test Script? Test Scripts are a line-by-line description containing the information...
Training Summary SoapUI is the market leader in API Testing Tool. You can do functional, load,...
What is REST API Testing? REST API Testing is open-source web automation testing technique that is...
Download PDF Following are frequently asked Cucumber Testing Interview Questions for freshers as well as...