What is security testing?
Security testing is a type of software testing that detects system vulnerabilities and determines that system data and resources are protected from intruders. It ensures that the software system and the application are free of any threats or risks that may cause loss.
The security testing of any system focuses on finding all the vulnerabilities and weaknesses in the system that can lead to loss of information or reputation of the organization.
The objective of the security check is:
- To identify threats in the system.
- To measure potential system vulnerabilities.
- To help detect all possible security risks in the system.
- To help developers overcome security issues through encryption.
The main focus areas of security inspection:
- Network security
- System software security
- Client-side application security
- Server-side application security
Types of security testing
- Review potential vulnerabilities: vulnerabilities are done with the help of automated software to scan a system to detect known vulnerabilities.
- Review system weaknesses: include identifying network and system weaknesses. It then provides solutions to reduce these deficiencies or risks. Security scans can be performed both manually and automatically.
- Security assessment by attacking the system: This is a test that simulates an attack from a black hat hacker. Testing involves analyzing a specific system, finding potential vulnerabilities by attacking from outside.
- Risk assessment: this test involves analysis of perceived security risks. The risks are classified as Low, Medium, and High. This type of test makes recommendations to minimize risks.
- Check internal system security: check internal security of application and OS. Testing can also be performed through code-line testing.
- Attack on security vulnerabilities: white-hat hackers follow the same approach as black-hat hackers, with the goal of finding security vulnerabilities and identifying ways to penetrate targets, to assess the extent of damage caused by these holes, thereby giving warnings and measures to strengthen and consolidate appropriate security.
- Posture assessment: Combining security scanning, ethical hacking, risk assessment, and hacking into security systems to assess an organization’s overall security.
Security testing techniques
1. Check application access
Most applications or websites have access to each function, module on the application, website. So we need to check if the permissions of the users are correct or not.
Example: You need to check a normal user to not be able to access the admin page of the website.
Some application access tests include checking the password quality rules, checking the default login, checking password recovery, captcha checking, checking logout function, checking password changes. password, test security questions / answers.
Similarly, some authorized tests include path finders, missing permissions tests, and horizontal access control issues.
2. Check the data protection
All sensitive data must be encrypted before saving to database or when sending request. Especially for sensitive data such as passwords, credit card numbers or other important business information, strong encryption is required.
How to check the data security:
- Reviewers should query the database for important and sensitive data such as passwords and banking information to verify that all that data is stored in encrypted form in the DB.
- It must be verified that data transmitted between different monitors must be encrypted before transmitting. Moreover, the tester needs to ensure that the encrypted data is correctly decoded at the destination.
- The reviewer must verify that when the information is transmitted between the client and the server, it is not displayed in the web browser’s address bar in an easy to understand format.
3. Brute Force Attack
Brute Force Attack is mainly done by some software tools. The concept is to log into the system multiple times by guessing the password.
Example: A simple example of security against such an attack is to suspend an account for a short period of time. For example, if you try to login to Gmail unsuccessfully more than 3 times, you will be blocked from logging within about 30 minutes
How to test Brute force attack: Testers will perform multiple logins on the application with invalid information to verify that the account suspension mechanism is available and is working correctly on the application.
4. SQL Injection and XSS
SQL injection is a technique that allows an attacker to execute illegal SQL execution instructions (which the developer did not anticipate), by taking advantage of security breaches from application input. .
5. Check session management
Session is a sequence of HTTP request and response transactions associated with the same user.
Reviewer must check for session termination after the maximum time, session termination after logout, check the scope and duration of session cookies, check if an account can run concurrently on multiple sessions. work?
6. Check for specific risk functions
On the application, there are some functions that can cause security risks such as payment, file download, ..
For example, the function of downloading files we need to check that unwanted or malicious files are restricted when using this function.
Some tools used in security testing
WireShark is a network analysis tool formerly known as Ethereal. It captures packets in real time and displays them in a readable format. Basically, it is a network packet analyzer – provides the smallest details about network protocols, decryption, packet information, etc. It is an open source and can be used on Linux, Windows, OS X, Solaris, NetBSD, FreeBSD and many other systems.
OWASP is a standard for testing by Penetration Testing (Pentest) proposed by Open Web Application Security Project (OWASP). OWASP is a not-for-profit organization and offers the OWASP standard for effective and detailed pentest work. However, to clarify, I would like to briefly introduce what is Pentest.
OWASP is a worldwide non-profit organization focused on improving the security of software. The project has many tools to test different software environments and protocols. The project’s leading tools include:
- Zed Attack Proxy (ZAP – an automated tool to find security bugs while you are developing and testing applications)
- OWASP dependency test (scans project dependencies and checks for known vulnerabilities)
- OWASP web test environment project (collection of security tools and documents)
W3af is a framework that helps check and identify vulnerabilities in web applications. This tool comes with some useful plugins to scan a website with more than 200 public vulnerabilities. The currently available plugins include testing, authentication, bruteforce, crawl, evasion, grep and infrastructure. Each plugin has a different set of scan targets.
Security testing is an important type of software testing, helping to determine whether important data is kept confidential.
With this type of testing, the tester acts as an attacker on the system to find security holes