Security testing helps identify vulnerabilities, weaknesses, and risks of an application or system, which can lead to attacks from outsiders or loss of information and revenue.
It checks that systems are reliable and do not accept unauthorized inputs.
Security testing focuses on whether the software is configured correctly, following some key elements:
- Assets: the main objects that need to be protected (applications and data)
- Threats and vulnerabilities*
- Risks: Security testing evaluates the risk by identifying the severity of a vulnerability and the likelihood of a negative impact on the business.
* This is a list of potential threats which should be considered during security testing:
- Unauthorized copying of applications or data.
- Unauthorized access control: e.g., users can perform tasks outside their permissions. User rights, access, and privileges are the focus. Information about access control should be available in the system properties.
- Software that exhibits unintended side-effects when performing its intended function. For example, a media player which plays audio correctly, but writes files out to unencrypted temporary storage, so it exhibits a side-effect that software pirates may exploit.
- Code inserted into a web page may be exercised by subsequent users (cross-site scripting or XSS). This code may be malicious.
- Buffer overflow (buffer overrun) may be caused by entering strings into a user interface field longer than the code can handle. A buffer overflow vulnerability represents an opportunity for running malicious code instructions.
- Denial of service, which prevents users from interacting with an application (e.g., by overloading a web server with “nuisance” requests).
- Breaking the encryption codes used to protect sensitive data
- Logic bombs (a.k.a. Easter Eggs) may be inserted into code and activated only under certain conditions (e.g., on a specific date). When logic bombs activate, they may perform malicious acts such as deleting files or formatting disks.
Security Test Planning
The following aspects are especially relevant when planning security tests:
- Security testing may be scheduled during the integration phase since security issues may arise during the system’s architecture, design, and implementation. However, it can also take place after the system has entered production.
- The test strategies may include code reviews and status analysis with security tools. These can be effective in finding security issues in architecture, design documents, and code that are easily missed during dynamic testing.
- Security tests may require planned attacks that must be coordinated with the main stakeholders. An essential aspect of this is obtaining approval, which includes explicit permissions from the Test Manager so that it doesn’t look like actual attacks.
Keep in mind that improvements made to the security of a system may affect its performance. After making security improvements, it is advisable to consider the need for conducting performance tests.
Particular security tests may be grouped according to the origin of the security risk:
- User interface related – unauthorized access and malicious inputs.
- File system-related – access to sensitive data stored in files or repositories.
- Operating system related – storage of sensitive information such as passwords in a non-encrypted form in memory could be exposed when the system is crashed through malicious inputs.
- External software-related – interactions may occur among external components that the system utilizes. These may be at the network level (e.g., incorrect packets or messages passed) or at the software component level (e.g., failure of a software component on which the software relies).
The following approach may be used to develop security tests:
- Gather information that may be useful in specifying tests, such as names of employees, physical addresses, details regarding the internal networks, IP numbers, identity of software or hardware used, and operating system version.
- Perform a vulnerability scan using widely available tools. Such tools are not used directly to compromise the system but to identify vulnerabilities that are, or that may result in, a breach of security policy. Specific vulnerabilities can also be identified using checklists like those provided by the National Institute of Standards and Technology (NIST).
- Develop “attack plans” (i.e., a plan of testing actions intended to compromise a particular system’s security policy) using the gathered information.
Use inputs via various interfaces (e.g., user interface, file system) to detect the most severe security faults. The various “attacks” described are a valuable source of techniques developed specifically for security testing.
Security issues can also be exposed by reviews and/or static analysis tools. Static analysis tools contain an extensive set of rules specific to security threats and against which the code is checked. For example, the tool can find buffer overflow issues (caused by failure to check buffer size before data assignment).
Static analysis tools can be used for web code to check for possible exposure to security vulnerabilities such as code injection, cookie security, cross-site scripting, resource tampering, and SQL code injection.