With the rapid evolution of informational technologies, software developers have greater capabilities for improving old systems and/or developing new ones.
Users can now access information resources in an easier and more secure way.
However, safety does not come out of the blue. Security testing is crucial. Software security testing prevents leaks of sensitive data or breaches of digital services by cyber criminals.
Hands down, software security testing stops cyber crime from ruining your life and your business.
1Basic concepts of security testing
When designing and developing any system, security testing is based on four key concepts: confidentiality, integrity, availability, and observability.
А) Confidentiality – only a limited number of users are allowed to access information.
В) Integrity – information cannot be corrupted either accidentally or intentionally by any user or process.
С) Availability – assigned users only are granted access to information.
D) Observability – system keeps a log of all users’ actions, provides users with access to information according to their rights, and reacts to users’ actions in order to minimize possible losses, also via encryption.
In order to make these concepts work, the following steps are taken during design and development:
Сreate a threat and risk analysis model
Develop a test plan
Conduct penetration tests
Analyze and evaluate test results
Implement complex measures to eliminate detected threats
2Aims of security testing
The main targets of different types of security testing include server software and databases, data transmission channels, and client/server applications. There are many requirements for enhancing security for every targeted object.
The main issues security testing services must cover include:
- setting up access rights for all user categories
- splitting and filtering the data streams
- clustering the database
- issuing certificates for using secure data channels
- designing the database and fine tuning it for optimal request processing
- implementing encryption when data transmission is performed via insecure channels
- monitoring and applying new security solutions against known types of attacks (both hardware and software levels)
A suitable example of a dynamic approach to security testing of web services is Open Web Application Security Project – OWASP.
Of note: security testing benefits from automation testing by definition. And yet, establishment of a continuous security testing pipeline requires high skills from a software testing company’s QA engineers.
When it involves data security, never look for a cheap supplier!
The use of automation testing software makes it possible to cover more source code and infrastructure. Weak points are discovered and level of severity determined quickly and accurately.
3Issues security testing targets
Software that helps detect and solve security issues is usually divided into several categories:
- Network scanners: This software helps determine the status of network items (ports and services) by analyzing their network activity. Users can create their own scenarios/scripts depending on the network architecture and the type of data which is to be transmitted.
For example: Nmap, Wireshark, and Snort.
- Brute force clients: Software that makes it possible to determine the security of the authorization mechanisms by various Internet services supporting several protocols like Mail, Databases, VNC, and SSH.
For example: THC Hydra.
- Proxy servers: Software that acts as a proxy server and makes it possible to analyze data when two client/server applications interact.
For example: Burp Suite.
- Auditing software to detect Man-in-the-Middle attacks: This exposure means that the attacker intercepts messages and injects new ones, while the victims do not suspect the data spoofing.
To detect this sort of vulnerability we use Ettercap.
- Software to detect attacks on databases, like SQL injections, deletion or blocking of databases.
For example: sqlmap.
- Software for code analysis designed to detect and eliminate errors that emerge at the development stage.
This feature is often available for IDE.
4 Reasons to start testing
When deciding on security testing, the main points are costs and test thoroughness. The decision on complex security is based on the following assumption: when the cost of the security system development is substantially lower than the potential danger, then the development of a security system is indispensable.
Common practice is when security test results show the software contains critical vulnerabilities. When those vulnerabilities cannot be eliminated at the development stage, a complex security system should be designed, including legal and organizational measures, firmware, and engineering solutions.
Last but not least, a crucial chain in smooth software delivery is DevOps consulting makes it possible to transmit a piece of software through the CI / CD pipeline from development to operations team ensuring high-level security standards.