Q
Get started Bring yourself up to speed with our introductory content.

What are the most important security testing basics?

Knowing how to test for security flaws is vital, but it's a complicated and changing field. Expert Kevin Beaver offers security testing basics.

Welcome to the exciting field of software security. There are so many opportunities with testing Web applications,...

mobile apps and even traditional client-server software and not enough people to fill positions -- a core element behind why we still struggle with software security testing basics. The more we hear about how important it is to integrate security into the software development lifecycle, the more security incidents and breaches we hear about.

The first order of business is to understand the different types of software security testing basics so you'll know which area you'd like to focus on. I'm particular to vulnerability assessments and penetration testing, since that's what I focus on in my work. Vulnerability assessments look at the application environment and determine the weaknesses that can be exploited by criminal hackers and trusted users alike. Penetration testing takes security testing a bit further -- it's the active process of simulating a threat exploiting the vulnerability to demonstrate what can happen in a real world situation.

I think we get too caught up in the verbiage around the different types of security testing basics. I like to refer to this exercise as "security assessments" whereby all aspects of the application are tested. It's not just vulnerability scans, and it's not just a capture the flag-type scenario with penetration testing. In most cases, the ultimate business goal of such an assessment is to find -- and fix -- security weaknesses. You can do this type of work in an IT or security role. You can also do it from a development or QA perspective. Whether you work for someone else or for yourself, it doesn't matter. What's important is to get as much hands-on experience as you can.

If I've learned anything in my 16 years of security testing, it's to have an open mind. This means considering alternatives to mainstream theories on what it takes to truly fix security flaws. It also means committing to learning new things -- staying on top of the latest software exploits, tools and testing techniques (both manual and automated). If you ignore these important areas, you'll struggle to build the credibility and the buy-in you need to be successful in the field long term. If you focus on what's important, keeping the business goals in mind, it's easy to stand out from the noise in this field.

You'll find that as you build your career in software security testing, there's always something new and exciting. For instance, I have been doing a lot of testing of mobile apps and the Internet of Things (IoT) devices lately. IoT systems are unique in that they tend to be very specialized and design and development teams often cut corners in order to minimize the systems footprint. As with Web applications, IoT devices are most interesting because each system tends to present its own unique challenges, especially as it relates to balancing security, usability and convenience. It's this very thing that makes software resiliency both a blessing and a curse. The more software security flaws we find and make public, the better our software can become. However, public knowledge of security flaws can create immense levels of risk on the part of the business and stress on the part of those responsible for developing applications and testing software security. In the end, it's in the best interest of the business and that's what counts.

It's also important to remember the basics of security. Protecting the business against all the newest threats won't mean much if decades-old gotchas involving weak passwords, improper encryption, insecure data storage and the like can still find a foothold. If you are going to contribute to a solid information security program, you have to walk before you can run. That said, we would be remiss by not recommending compensating controls such as TLS, identity management and advanced malware protection to improve the security of any given application environment. As you develop your career in software security, you'll want to share your knowledge with others so make sure you have processes in place to train users and developers about the importance of security.

For now, create your own lab environment using Kali Linux and related tools to get your hands dirty. The OWASP website has a ton of resources for those wanting to learn more about software security testing basics. The most important thing is to never stop learning. The core security principles that we work with really haven't changed all that much; however, the technologies we use have changed and that's what makes for some great opportunities in and around this field.

Next Steps

The tester's role is changing -- are you ready?

Yes, there's job security in security

AI's role in security testing

This was last published in April 2016

Dig Deeper on Software Security Test Best Practices

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

5 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What was your biggest hurdle getting started with security testing?
Cancel
Ironically, the biggest hurdle was selling the need to do it. "QA is responsible for functional testing only" was the counter-argument.
Cancel
Don't have the basic knowledge. 
Cancel
I agree with Albert. The whole ignorance is bliss does not work when it comes to security. You need to show them the dark side of what can happen if refuse to look.

Cancel
One particular difference with security testing is that it's a 2-step discovery process. First, you're looking for loopholes or malfunctions. Then you analyze how one can take advantage of them, and how severe it might be.
Cancel

-ADS BY GOOGLE

SearchMicroservices

TheServerSide.com

SearchCloudApplications

SearchAWS

SearchBusinessAnalytics

SearchFinancialApplications

SearchHealthIT

DevOpsAgenda

Close