Security testing is a variant of software testing that helps find vulnerabilities in systems and applications and protects information/resources from potential breaches. It maintains the integrity of system, its data and core functionality. It helps validate the core principles as listed here:
The ultimate aim of security testing is to find any lapses in the system and measure its vulnerability. This helps in identifying all possible risks in the system and help the project teams in fixing these problems instantly.
The Open Source Security Testing methodology manual prescribes the following types of tests:
Vulnerability Scanning: This is carried out typically with automated software to scan a system for known vulnerabilities.
Security Scanning: This test identifies network/system weaknesses and also provide solutions for mitigating risks. It is possible to use either manual or automated tests for this.
Penetration Testing: simulates an attack from a malicious hacker and checks for potential threats during an external hacking attempt. This is now extremely important in the wake of General Data Protection Regulation(GDPR).
Security Audit: This is a systematic evaluation of the Application systems and operating systems for security flaws. Often the audit is carried out by checking the code line by line.
Risk Assessment: it involves analysis of security risks in the organization. These risks are classified as low, medium and high, followed up by recommendations to reduce the risk.
Ethical Hacking: Ethical hacking helps organizations find security flaws within the system using the same know-how as malicious hacking. However, the intention here is to help the organization protect itself from hackers.
Posture Assessment: This combines ethical hacking, security scanning and risk assessments to show the organization’s overall security posture.
The Open Web Application Security Project (OWASP) is a renowned non-profit organization that offers practical information about application security. Its mission is to make software security apparent so that individuals and organizations can make informed decisions. OWASP provides impartial and practical about Application security to businesses, governments, individuals, universities etc.
Owing to the serious monetary, legal and reputational risks of a security breach, there is great emphasis on securing the Software Development Lifecycle.
Here are the steps taken during each phase of the lifecycle:
Requirements Phase: Security analysis must be carried out for requirements and to check the possibility of misuse.
Design Phase: development of the test plan includes security tests. There should be security analysis for designing also.
Coding and Unit Testing: This phase includes security white box testing and both static/dynamic testing.
Integration Testing: Black Box Testing is a method that checks the functionality and non-functionality.
System Testing Phase: This includes both Black Box Testing and Vulnerability scanning.
Implementation phase: Again, you require vulnerability scanning and penetration testing.
Support: The support phase analyses the impact of patches.
Agile project management security profile
The agile model of delivery lays great emphasis on tighter iterations and incremental gains to deliver high quality software faster. However, security is an important aspect of releasing high quality software.
The Agile model is very effective for code development and for security testing because you can start testing early, shift left and check for potential flaws in the development phase. Rather than focusing on it as an afterthought, when the issues become too expensive and time consuming to fix, the Agile approach insists on making it a part of the process right at the outset.
Security testing in the context of Agile project management can be executed in various ways. From static analysis and dynamic analysis to vendor application security testing for third-party code and software composition analysis for open source software. It is essential to find security testing solutions that can be easily incorporated into the developer’s IDE, instead of a separate testing solution that may slow down your process.
What is the DevOps challenge for security?
- Multiple deployments, often in a day
- Largely automated delivery pipeline
- Security needs to be at DevOps speed.
As the OWASP protocol recommends, Security goals in a DevOps environment must be driven by business needs and clearly defined at the beginning. “Collaboration and communication means exposing your processes.”
Best practice suggests recording manual security tests for automation, automate the scanning processes and there should be a baseline of ready-to-use security tests.
While there are several test scenarios, security methodologies and protocols for security testing, there are as many ways to break a system. Security testing is not the only way to secure the application but it is very important to ensure that you have covered as much ground as you could.