Get started Bring yourself up to speed with our introductory content.

Security testing basics: Fending off hackers and crackers

It's critical to apply security testing into your app, as cybersecurity affects everyone. Testing before production can help prevent attacks. Expert Gerie Owen explains further.

Cybersecurity -- we hear about it every day, whether it's another major security breach in the news or a new security...

initiative within your our own organization such as a directive to change your password more frequently. We may have been impacted personally by fraudulent credit charges or identity theft, or know someone who has. Cybersecurity affects everyone, both personally and professionally.

Although everyone in the organization is responsible for cybersecurity at some level, security testing is critical. Many organizations believe that they can apply security in production, but we've seen time and again that vulnerable applications will get attacked. We have to build in security and test it prior to production. Whether you have an understanding of security testing basics or not, all testers should include high-level security test scenarios in test plans. Testers, welcome to the world of hackers and crackers, the brave new world of security testing.

Hackers, crackers and attacks

The first lesson of security testing basics is to understand the attackers, the most common types of attacks and how they happen. Testers, meet the hackers and crackers. Hackers are people who gain unauthorized access to an application. Their motives vary from malicious to mere curiosity and bragging rights. Hackers who are hired to determine if the application can be breached are often called ethical hackers. Crackers are malicious hackers who break into an application to steal data or cause damage.

The most prevalent types of attacks are State Sponsored Attacks, Advanced Persistent Threats, Ransomware and Denial of Service. State-sponsored attacks are penetrations perpetrated by foreign governments, terrorist groups and other outside entities. Advanced Persistent Threats are continuous attacks aimed at an organization, often for political reasons. Ransomware locks data and requires the owner to pay a fee to have their data released. Denial of Service makes an application inaccessible to its users.

Some of the usual means by which hackers and crackers attack are through SQL injection, cross-site scripting, URL manipulation, brute force attacking and session hijacking. Using SQL injection, an attacker manually edits SQL queries that pass through URLs or text fields. Cross-site scripting involves adding a JavaScript, ActiveX or HTML script into a website on the client side in order to obtain clients' confidential information. With URL manipulation, a hacker attempts to gain access by changing the URL. Brute force attacking requires automation and is used to obtain unauthorized access by trying large numbers and combinations of user identifications and passwords. Finally, hackers use session hijacking to steal the session once a legitimate user has successfully logged in.

What is security testing?

Security testing is validating that an application does not have code issues that could allow unauthorized access to data and potential data destruction or loss. The goal of security testing is to identify these bugs, which are called threats and vulnerabilities. Some of the most common types of security testing include vulnerability and security scanning, penetration testing, security auditing and ethical hacking.

Vulnerability scanning is an automated test where the application code is compared against known vulnerability signatures. Vulnerabilities are bugs in code that allow hackers to alter the operation of the application in order to cause damage. Security scans find network and application weaknesses, and penetration testing simulates an attack by a hacker. Security auditing is a code review designed to find security flaws. Finally, ethical hacking involves attempting to break into the application to expose security flaws.

The challenges of security testing

Security testing requires a very different mindset from traditional functional and nonfunctional testing. Rather than attempting to ensure the application works as designed, security testing is attempting to prove a negative -- i.e., that the application does not have vulnerabilities. Security vulnerabilities are very difficult bugs, both to find and to fix. Often, fixing a security vulnerability involves design changes, and, therefore, it is important to consider security testing in the earliest possible phases of the project.

Although security testing requires automation and specialized skills, all testers can contribute effectively to security testing. There are several areas in which testers can incorporate security testing into their functional testing. These include logins and passwords, roles and entitlements, forward and backward navigation, session timeouts, content uploads and tests involving financial or any type of private information. Simple tests such as ensuring passwords are encrypted, validating that the user is locked out after three invalid password attempts and that the user is timed out after the required number of minutes of inactivity are easy ways of spotting security vulnerabilities.

Testers, if you are interested in going beyond security testing basics, start by learning to use security testing scanners and tools. As security testing becomes increasingly more important, the need for specialists in this area is great. However, it is critical for all testers to support security testing by incorporating security scenarios in our test plans. Our organizations depend on us to employ our skills through which we think like a user. Testers, let's embrace this brave new world and think like hackers.

Next Steps

Improve your app's security after an attack

Uncovering bugs in Web-based application through security testing

Dynamic versus static application security testing

This was last published in April 2016

Dig Deeper on Software Security Test Best Practices

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

3 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How does your company emphasize the importance of security testing with its applications?
Cancel
This makes an excellent primer article for people looking to get their toe wet on what security testing might imply.   OWASP is  a great resource to begin learning.
Cancel
Security testing is NOT "attempting to prove a negative -- i.e., that the application does not have vulnerabilities". I have never seen
a large complex system that did not have vulnerabilities, and if you
are up against the resources of an adversarial nation state's Advanced
Persistent Threats, they will eventually succeed. The Democratic
National Committee's system never stood a chance against Russia. In
fact, I would be the Russians also got into the Republican's system, but
managed to do so without leaving an obvious trace. Also, scanners
typically find far too many vulnerabilities than one can practically
debug, which is why prioritizing vulnerabilities and building security
in as you go are so important. Additionally, proving a system is secure
is the wrong mindset. You have to think like an attacker. You know the
vulnerabilities are somewhere. Your job is to uncover them. The question
is can you find the important ones given your limited testing
resources. Security testing is critical; just don't consider it a
panacea and perform your risk management and disaster recovery
accordingly.
Cancel

-ADS BY GOOGLE

SearchMicroservices

TheServerSide.com

SearchCloudApplications

SearchAWS

SearchBusinessAnalytics

SearchFinancialApplications

SearchHealthIT

DevOpsAgenda

Close