Before we start this tutorial, let’s take some examples of recent security breaches of famous companies:
· Canva – In May 2019, the popular graphic design website ‘Canva’ was breached and data of more than 139 million users was stolen by the hacker.
· Adobe Inc. – In October 2013, it was made public by the company that more than 2.9 million (and later 38 million number was revealed) customers’ data was stolen which also included their credit card information. According to LastPass, a password security firm, the company did not safeguard the passwords. Sophos, British security software and hardware company said that Adobe used a weak encryption algorithm.
· Google Plus – In December 2018, Google reported that due to a bug in Google+ API update, over 52.5 million users’ details were affected. The bug allowed access to outside developers.
· Justdial – In October 2019, Indian security researcher Ehraz Ahmed found a major bug in register API of Justdial. It allowed hackers to enter the phone numbers in the username parameter which would result in access to other users’ accounts. The bug fixed in time and no users’ accounts were affected.
· Yahoo – More than 500 million users’ data was affected in 2014 due to cyber-attack.
These examples are just the tip of the iceberg. If you notice in every example, one thing is common and that is, these security breaches could have been avoided.
The question is how? The answer is by taking precautions and to take precautions the important process that needs to be followed is ‘Security Testing’.
This tutorial focuses on ‘Security Testing’. Security testing is a type of non-functional testing and it deals with detecting issues related to the security of the software which averts attacks mentioned above.
What is Security Testing?
Security testing is one of the most crucial testing types of non-functional testing. In this type of testing, the system’s readiness to fight back against any external or internal attacks is tested. It makes sure that only authorized and authenticated users are allowed to access the software, and users’ data is secured and available to them whenever required.
A development team should make sure that the software is protected against various security breaches such as malware, brute force attacks, SQL injections, etc. To do this, they need the help of security testing.
Six Basic Principles of Security
Before starting security testing, the testing team needs to focus on the basic principles of security of any software. These are the guidelines based on which any software’s security standards are checked:
· Confidentiality – Confidentiality decides the level of availability of information. Who can access the information, where this information can be accessed and how it can be accessed?
· Integrity – Integrity gives the assurance that the information is authentic and correct.
· Authorization – Authorization is the process of authorizing or identifying a person or an entity trying to gain access to the system. A typical example of the authorization method is to assign a username to every user.
· Authentication – Authentication is the process of authenticating authorized persons or entities. A typical example of the authentication process is to ask for a password for the entered username.
· Availability – All the required and accessible information should be available to the users. To achieve this principle, software’s information should be stored in a safe place and the system should have enough capacity to store the data.
· Non-repudiation – Repudiation word’s meaning is to deny something. Non-repudiation gives assurance that the originator of the message or sender of the document cannot deny the authenticity of their signature. One common example of achieving non-repudiation is by using a digital signature.
Why Security Testing is required?
We saw some real-world examples in the first section of the tutorial. Based on these examples, we can understand the importance of security testing. In this section, we will study some major consequences of poorly secured systems:
· Poor security mechanisms put the company’s reputation at stake – Due to lack of security mechanisms, if any application is attacked and users’ data or working of the system is affected, questions on the company’s authenticity are raised. In the case of Yahoo, due to three attacks, Verizon Communications decreased Yahoo’s valuation during its buyout.
· Decrease in Customers and Loss of trust – We can safely say that any security breach also affects users or customers. Especially if their data is affected, users might lose trust and may never use the same application again. The company will also face a hard time to gain back such customers. In the above examples and other examples available on the internet, we can see that many users’ payment information was also compromised. Hackers can misuse such credit or debit card details and it can result in unwanted transactions.
To avoid the above mentioned and many more other issues which have not been included here, security testing is a significant step of any software testing life cycle.
Types of Security Testing
There are seven types of security testing. Let’s study them in brief.
· Vulnerability Scanning – In this type of software testing, using automated software vulnerabilities of the system is detected.
· Security Scanning – This type of security testing identifies network and system weak points, post that it also gives solutions to reduce the weaknesses or risk. It can be done for both manual and automated scanning.
· Penetration Testing – Penetration testing reproduces various scenarios which can cause malicious hacking attempt and tries to find system vulnerabilities against such attacks.
· Risk Assessment – In risk assessment, as the name suggests, potential risks are identified, and they will be classified as per their severity. Once they have been classified, control measures will be defined to prevent them.
· Security Auditing – Security auditing is the process of reviewing the application and its configuration against existing security policies. This audit will generate a report on the strengths and weaknesses of the system in terms of security.
· Ethical Hacking – Ethical hacker is a white hat professional who penetrates the system (with the permission of its owners) to find system vulnerabilities. This hacking helps in preventing malicious attacks by black hat hackers who take advantage of vulnerabilities and use it for their gain.
· Posture Assessment – Posture assessment is a combined process involving risk assessment, security scanning and ethical hacking to show the full posture of the organization from the security perspective.
Security Testing Tools
For the above-mentioned security testing types, there are a lot of tools available in the market. This section discusses some of them in brief:
· Netsparker – It is a tool for web application security scanning. If any vulnerabilities are found, they are classified at various severity levels. It allows integration with CI/CD and other systems. Although it is not free, it allows trail used for a certain period.
· Metaspliot – Owned by Rapid7 LLC, it is an open-source cross-platform framework written in Ruby. As per their website, it is the world’s most used penetration testing framework.
· W3af – Web Application Attack and Audit Framework (w3af) is an open-source web application security scanner written in Python. It helps in identifying and exploiting web application vulnerabilities.·
· Nessus – It is a vulnerability scanner used during vulnerability assessments and penetration testing, developed by Tenable. It was available for free but with a limited set of features till 2005.
We hope this article helped you in understanding the basic security testing concepts. For any query or concern, please comment below and we will answer your queries at the earliest.
Kuldeep is the founder and lead author of ArtOfTesting. He is skilled in test automation, performance testing, big data, and CI-CD. He brings his decade of experience to his current role where he is dedicated to educating the QA professionals. You can connect with him on LinkedIn.