Q
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

What does "security testing" of my application actually mean?

What does a manager mean by "security testing"? In this response, expert Pete Walen offers insights into the broad category of application security testing and also recommends asking for clarification about the needs for your specific project.

My manager told me that my next project will involve security testing. I’ve never done that before. Does she mean...

that I’m supposed to test our application and make sure that people see only the data they are supposed to see? I looked online and I am not sure what to do. Can you tell me what my manager means? 

I think there are several questions in this one. First, what you describe about people only seeing the data they are supposed to see is closer to functional testing of your application than what I would normally describe as “security testing.” Depending on the nature of your application, some aspects of functional testing may involve some form of security testing. However, I don’t consider them to be parallel most of the time.

There is a good starting point for people new to the realm of security testing. It is a great website that I turned to the first time I was told, “Do some security testing for this,” by my boss. If you visit the Open Web Application Security Project site, you will get a good foundation for what security testing is. 

Depending on the nature of the application you are testing, there may be some regulatory concerns that you will need to consider. For example, if you are dealing with electronic payments and payment cards, you may need to be aware of the PCI-DSS standards. 

I suggest to people that guidelines and standards like that are starting points. While the auditors may be satisfied, I suspect that most auditors are less aggressive than most “bad guys” are. Many auditors may run down their check list and if you cover the points on their checklist, then you pass. However, the “bad guys” may not have the same check list the auditors do. 

That means these checklists are the minimum -- the starting point. From there, you must get creative. How you get creative with your application will come with experience. Do not be afraid to try different approaches; a big part of being a tester is finding the best way to identify weaknesses and correct them.

Now, as to the other aspects in your question, how these ideas need to be implemented and how the tests need to be set up and run will depend very much on the nature of the system under test. There is not a single map or template that covers these ideas adequately for every situation.   

As for what exactly the manager means, I do not know. I would suggest talking with her and asking what she means. Explain that there are some possibilities you could look into testing and ask her if these are the factors she had in mind when she mentioned security testing. 

This was last published in April 2011

Dig Deeper on Internet Application Security

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

SearchMicroservices

TheServerSide.com

SearchCloudApplications

SearchAWS

SearchBusinessAnalytics

SearchFinancialApplications

SearchHealthIT

DevOpsAgenda

Close