Website security testing is an effective way to assess the security of a website. This article will introduce security testing methods for websites so that you can easily visualize it.
1. What is security?
Security is a series of measures to protect an application against unforeseen actions, causing the application to stop working or be wasted.
2. What is Security Testing?
- Security testing is an important part of software development, to ensure that systems and applications in an organization do not have any loopholes that can cause security losses. full security.
- Security testing is looking for all the vulnerabilities and weaknesses in the system that lead to leaks of organization information.
- The purpose of Security Testing is to identify threats and vulnerabilities in the system and to help determine that its data and resources are protected from possible intruders and help the development team. Soft to fix these problems.
3. Focus area
There are four main focus areas to be considered in security testing (Especially for websites / applications):
- Network security : related to finding vulnerabilities in network infrastructure (resources and policies).
- System software security : involves assessing weaknesses in various software (operating systems, database systems and other software) on which the application depends.
- Client-side application security : involves ensuring that the client (browser or any such tool) cannot be manipulated.
- Server-side application security : involves ensuring that the server code and its technologies are strong enough to protect against any intrusion.
4. Forms of Security Testing
According to ISECOM (Open Source Security Testing) there are 7 forms of security testing:
- Review potential vulnerabilities – Vulnerable Scanning : through software to automatically scan a system to detect vulnerabilities based on known signatures.
- Review system weaknesses – Security Scanning : includes identifying network and system weaknesses, providing solutions to minimize these risks. Can be done manually or automatically.
- Penetration testing – Penetration testing is a type of test that mimics an attack from an unwilling hacker. Testing involves analyzing a specific system, finding potential vulnerabilities by attacking from outside.
- Risk Assessment : involves analyzing perceived security risks. The risks are classified as Low, Medium, and High. This type of test makes recommendations to minimize risks.
- Security Auditing – Auditing internal security of applications and OS.
- Ethical hacking : Goodwill hackers use a similar approach to “unkind” attackers, with the goal of finding security vulnerabilities and identifying ways method to penetrate the target, to assess the extent of damage caused by these holes, thereby giving warnings and appropriate measures of consolidation and security consolidation.
- Posture assessment : Combining Security Scanning, Ethical hacking and Risk Assessment overall security assessment of an organization.
5. For example
Here is an example of a very basic security check that anyone can perform on a website / app:
- Log into the web application.
- Log out of the web application.
- Password needs to be in encrypted form.
- Application or system needs to control the user, not allow invalid users.
- Check cookies and session time.
- For financial websites, the browser’s back button should not work.
- Click your browser’s BACK button (Check to see if you are required to log in again or if a login application is provided.)
=> Most types of security tests involve complex steps and superior thinking, but sometimes, it’s simple tests like the ones above to expose serious security risks. most important.
6. Security Testing Method
- Tiger Box: made on a laptop, which installs a set of operating systems and hacking tools. This method helps penetration testers and security testers to assess vulnerabilities and attacks to detect and prevent in time. For example: Nikto, AppScan, WebScarab, Wa3f, Acunetix, CyStack Scanning …
- Black Box: is to check the security of the application from outside. Observe the data sent to the application and the data from the output application without understanding its inner workings. The process of processing data from outside to the application can be done manually or using automatic tools sent to the application.
- White box: the process of directly checking the source code of a web application to find security errors. The process of observing and checking the source code can be done manually or by tools. Tool-executing process means the process by which the tool scans the entire source code of an application and relies on a set of known functions and instructions that are likely to cause errors by the development programming language. web application.
7. Building trust
There are many ways to circumvent an application and check security, not the only measure of an application’s security. But, it is highly recommended that security testing be included as part of the standard software development process. The world is full of hackers and everyone wants to be able to trust the system / software that a person produces or uses.
8. Conclusion
Security testing is the most important type of test for an application and helps determine whether important data is secured. With this type of testing, the tester acts as a system attacker to find security holes.