Security testing is a highly specialized part of the testing process.
When do we use Security Testing?
Security testing is carried out when some important information and assets managed by the software application are of significant importance to the organization. Failures in the software security system can be serious especially when not detected, thereby resulting in a loss or compromise of information without the knowledge of that loss.
The security testing should be performed both prior to the system going into the operation and after the system is put into operation.
Rigorous security testing activities are performed to demonstrate that the system meets the specified security requirements & identify the left out security vulnerabilities, if any.
The extent of testing largely depends upon the security risks, and the test engineers assigned to conduct the security testing are selected according to the estimated sophistication that might be used to penetrate the security.
What are the objectives of Security Testing?
Security defects do not come to surface that easily as other types of defects. Thus security testing is carried out to identify defects that are quite difficult to identify. The security testing is carried out to ensure that the software under test is sufficiently robust and functions in an acceptable manner even in the event of a malicious attack.
The objectives of security testing can be:
1) To ensure that adequate attention is provided to identify the security risks
2) To ensure that a realistic mechanism to define & enforce access to the system is in place
3) To ensure that sufficient expertise exists to perform adequate security testing
4) To conduct reasonable tests to confirm the proper functioning of the implemented security measures
Who should do the Security Testing?
Majority of the security testing techniques are manual, requiring an individual to initiate and conduct the test. Automation tools can be helpful in executing simple tasks, whereas complicated tasks continue to depend largely on the intelligentsia of the test engineer.
Irrespective of the type of testing, the testing engineers that plan and conduct security testing should have significant security and networking related knowledge, including expertise of following areas:
1) Network security
3) Intrusion detection system
4) Operating systems
5) Programming and networking protocols like TCP/IP
Security Testing versus Conventional Software Testing
– A Quick Comparison:
Security testing has following attributes:
# It emphasizes what an application should not do rather than what it should do.
# It sometimes tests conformance to positive requirements for instance – “User accounts getting disabled after five unsuccessful login attempts” etc.
# It is aimed to test the negative requirements stating something that should never occur. For example “An external attacker should not be able to modify the contents of the Web page” and “Unauthorized users should not be able to access the data.”
Conventional testing has following attributes:
# It is aimed to test a positive requirement i.e. to create the conditions in which the requirement is intended to hold true and verify that the requirement is satisfied by the software.
# To apply conventional testing approach to the negative requirements, we need to create every possible set of non-feasible conditions.
Methods of Security Testing:
To confirm if a particular software application meets the security requirements, usually following two methods of testing are adopted
1) Functional security testing: It is meant to ensure that the software behaves according to certain specified functional requirements and is expected to demonstrate that the specified requirements are totally satisfied at the acceptable level. Functional requirement generally have a form like – “When a certain thing takes place, then the software must respond in a particular way.”
2) Risk-based security testing: The first step in risk-based testing is the identification of the security risks and the potential loss associated with those risks. It tries to confirm the immunity against specific risks that have been identified through risk analysis effort. Risk-based testing addresses negative requirements, which state what a software system should not do. Tests for negative requirements are derived from a risk analysis, and generally cover not only the high-level risks identified during the design process but also address low-level risks derived from the software itself.
Testing against Negative Requirements – An Art:
In fact, the risk based testing is more of an art than a science, since it largely depends upon the security knowledge & skills of the tester. Automation tools can also be used for testing negative requirements; while individual intelligence of the test engineers still remains indispensable.
While testing the negative requirements, the security test engineers generally have an objective of finding vulnerabilities & common mistakes in the software. The test engineers try to exploit the software weaknesses by executing test cases exclusively designed for abuse and misuse.
How to define Tests for Negative Requirements?
Past experience remains the fundamental base while defining the test conditions for testing the negative requirements. Past experience helps in following ways.
1) Use of Test Templates: Generally matured test organizations maintain a set of test templates that describe the testing techniques for use against specific risks and requirements in specific types of software modules. The test templates are generally created during various testing projects, and such templates get accumulated over a passage of time capture the past experience of the organization.
2) Use of Incident Reports: It is another way to derive test scenarios from past experience. Incident reports can be simple bug reports, but in the context of security testing they can represent a forensic description of the successful intruder activity.
When designing risk-based tests, it is wise to consult IT security personnel, who are supposed to keep up-to-date information on vulnerabilities, incident reports, and security threats.
3) Use of Attack Pattern Data: While doing security testing, available data on attack patterns can be used effectively to create test cases that reflect attacker behavior and to help identify the test cases that validate secure behavior.
4) Use of Threat Modeling Techniques: Information related to threat modeling used in the past can be used while designing risk-based tests. For instance, if inexperienced intruders are expected to pose a major threat, then it is advisable to conduct test using automated tools – reason being the intruders generally use similar tools for breaching the security of software applications.
What are the common techniques for Security Testing?
Few of the security testing techniques commonly used are:
# Network scanning
# Vulnerability scanning
# Password cracking
# Log review
# Integrity checkers
# Virus detection
# War dialing
# War driving (wireless LAN testing)
# Penetration testing
In actual practice combination of many such techniques may be used to have a more comprehensive assessment of the overall security aspect.