Security Testing ensures the confidentiality of the
data. It can be started right from the requirement gathering phase of the
Software Development Life Cycle. This can verify the fact that any intentional
or unintentional actions are not able to stop or delay the system. The
complexity of security testing is different in different phases.
- Requirement Gathering:In this phase, we need to determine the level of security that the system may require while we assess the requirements. The level of security can vary through government level, bank level, e-commerce level, simple information level confidentiality, etc. Another consideration is the effort that can be invested with respect to security testing.
- Design Phase: Here, a detailed plan for Security testing needs to be created. This involves listing of the testing tools, manual approaches and the list of vulnerabilities that will be covered.
The
different types of vulnerabilities can be defined as
-
Data confidentiality
-
Authentication
-
Authorization
-
Integrity
-
Availability
-
Non-repudiation
The
different types of techniques that can be applied are:
-
SQL Command Injection
-
Cross Site Scripting
-
Session Management and
broken authentication
-
Insecure direct object
references
-
Exposure of sensitive data
-
Security misconfiguration
-
Function level access
control
-
Cross Site Request Forgery
-
Invalid redirects
-
Using vulnerable components.
- Development
Phase: Here tools for static analysis can be used
for security testing. This tool helps in identifying the security loop holes
based on patterns and rules. Testing in this phase is the most recommended, as
it involves unit level testing. Here, each code block is tested for potential
bugs. These bugs if left unchecked, result in a bigger error at the later
stages. Examples of such bugs
-
Exception Handling
-
Ignored Return Values
-
Buffer Overruns
-
Complicated Functions
- Integration
Phase: As the code blocks are integrated one by
one to form the whole system, integration testing is performed. This is also known
as black box testing. These tests are performed to eliminate security
vulnerabilities before deployment. These uncovers errors that were missed out
or were nonexistent in the unit level testing. It also detects configuration
errors, potential security inconsistencies with third party applications and
the overall system.
- System
Testing Phase: Here vulnerability scanners are used
extensively. They have a predefined set of security rules, adhering to which
they crawl through the entire application finally creating a comprehensive
report on the system vulnerabilities. It clearly defines the cause, severity
and the solution for each case. However,
the scanner should be used with a manual check as it may generate many false
positives due to its pre-defined set of rules and no knowledge of the business
logic.
- Deployment
Phase: Here, PenetrationTesting is performed where a hacking attack is simulated on the system.
This is performed to uncover all the remaining security threats. Performing
penetration tests avoid network costs as well as regulatory requirements.
- Support/Maintenance
Phase: All the above testing were pre-production
testing. After deployment, post production testing need to be performed. This
can be done more efficiently by using a Software Security Assurance Program.
Conclusion:
Security Testing is not something which
can/needs to be only performed in the production environment. It should be
performed through every phase of the SDLC. As it covers all the security issues
right from initiation, it also reduces the cost, time and effort for future
fixings.
No comments:
Post a Comment