As long as there is confidential data or unique private information that can be accessed via the Internet, there will be hackers who break into a system and use the stolen data for their own benefit or for the benefit of the related party.
Please find attached our security test plan template which is normally used for a typical test cycle.
Security and fraud issues are especially critical concerns for financial institutions and web applications supporting online transactions. However, security is an important characteristic of any modern software application. It is vital to keep all kinds of data safe from unauthorized access and hacking attempts in order to rest assured that your system is secure and nothing will be lost or stolen.
Nowadays many software systems are connected to the Internet and to protect the data they require additional dedicated security protection: network security for LANs, web application security for websites, mobile application security for mobile apps. Security testing helps identify security weaknesses and assure the quality of protection against security breaches. In other words, the main objectives of security testing of a product are:
- To define security goals through understanding security requirements of an application
- To identify the security threats
- To validate that the security controls operate as expected
- To eliminate the impact of security issues on the safety and integrity of the product
- To guarantee that the product will function correctly under malicious attacks
There are different types of threats that can be aroused from taking advantage of security vulnerability:
- Unauthorized data access
- Privilege elevation
- URL manipulation
- SQL injection
- Identity spoofing
- Denial of service
- Data manipulation
- Cross-site scripting (XSS)
Security testing is the most important type of testing for an application, in which a tester plays the role of the attacker to detect security-related flaws. The following methods are used to verify how sensitive information is protected: dependency testing, client-side testing, design testing, implementation testing.
Dependency testing supposes that the 3rd party modules (or libraries, code, etc.) are tested. During this procedure, a test engineer verifies whether:
- An application has vulnerabilities of 3rd party components it uses
- Modules that provide security services fail
- There are security vulnerabilities in the file system
- There are security vulnerabilities in the registry
During client-side testing, a test engineer works with user interface exclusively. Besides error-handling testing and cross-site scripting he tries to enter incorrect sequences such as, for example:
- Escape characters
- Long strings
- Parts of some code in a programming language
- Incorrect input values
Design vulnerabilities can be caused by an immature design or development process. Thus on this stage, the following issues are controlled:
- Open unsecured ports
- Insecure default values and accounts
- Debug code intertwined with implementation code
Implementation testing deals with exposed implementation vulnerabilities, which may occur due to the following implementation errors:
- Software developers who develop only their modules may unintentionally reveal data (for example, incorrect validation)
- Time-of-check to time-of-use issues
Possessing over 20 years of experience and partnership with world-known companies, among which are Siemens, Fujitsu, Kaspersky, SAP and EPO, SaM Solutions has deep knowledge in this area and is able to run manual testing and automatic scanning to determine vulnerabilities of your web applications. SaM’s quality assurance specialists will prevent your web application from hackers’ attacks that may lead to negative consequences and from disturbance to your online means of revenue collection/generation. Our QA team covers such areas of security testing as:
- Penetration testing (SQL, XSS, CRLF injections, files inserting)
- Vulnerabilities during authentication
- Checking vulnerabilities during code running
Adding security testing late in the development increases the probability for vulnerabilities to lie unrevealed in software for a long time before discovery. As far as web applications are concerned, this increases the risk of being exposed to an attack. What is more important, the longer the vulnerability lies dormant, the more expensive it can be to fix the problem. So the earlier a defect (vulnerability) is uncovered, the cheaper it is to fix. As the old saying goes, prevention is better than cure – in order to maintain your customer’s trust, avoid website downtime, time loss and expenditures while recovering from potential damage as well as related legal implications and fees for having lax security measures.