Addressing security is an essential step in the software testing lifecycle. Yet many QA professionals remain reluctant to assume some responsibility for it. Although security testing can be complex, it is important for software testers to understand the security risks of the applications they test and acquire skills to develop test cases that will expose security vulnerabilities. In this tip, we will look at ways the software test professional can get started with risk-based security testing.
As technology has evolved, security has become an increasingly large concern in the software testing lifecycle. With increased connectivity using the Internet, smartphones, refrigerators, cars and devices of every sort, the risk of security breaches increases, too. At the same time, the growing complexity and extensibility of systems adds to security testing challenges.
As SearchSoftwareQuality site editor Jennifer Lent writes in "Security testing basics: QA professionals take the lead," test professionals are being asked to assume some responsibility for security testing basics. Testers need to use risk-based thinking to assess areas of the code that are at highest risk for security breaches. Start by understanding the probability that a breach might occur, as well as the potential impact of a breach. Areas at highest risk are those with the greatest impact and greatest probability of occurring.
In order to address security concerns most effectively, testers need to work closely with developers, and that involves some exposure to the code. The entire team should be thinking about security early in the development cycle. Requirements and design need to take security into account, and unit testing must be expanded to include security tests.
Start by understanding the probability that a breach might occur, as well as the potential impact of a breach.
The first step is to understand the business risks that might be exposed by the application. Is there a possibility of a financial loss? Is there a security exposure that might result in a liability? Tie technical risks to the business. What business losses could potentially result from a technical failure?
Understanding common attacks
Software developers often use patterns to group areas of commonality. There are design patterns, code patterns and also attack patterns. CAPE (Common Attack Pattern Enumeration and Classification) International provides a community-developed taxonomy of common methods that exploit software. As technologies evolve, so do the attack patterns, so the list is constantly changing. However, it is useful for software testers to become familiar with the top attack patterns and understand the circumstances in which they occur.
Understanding attack patterns will help you see where your code is most vulnerable and who is most likely to attack. Once you understand this, you will be able to put the proper defense mechanisms in place.
Web-based applications are easy targets for security breaches, so those who test Web-based applications should understand some of the most common types of attacks, such as SQL injections or cross-site scripting errors.
Checklists, tools and other resources
Another technique used to uncover security risks is using a checklist to help evaluate the security of your application. For example, this Security At a Glance checklist checks things such as financial loss, number of users, security policies, use of logins, security training and so on. This list is included in the book Secure Coding: Principles and Practices.
Of course, there are a variety of tools that will help with detecting security vulnerabilities as well. Static code analysis tools scan an application and highlight possible vulnerabilities in the code. Other resources include OWASP, the Open Web Application Security Project, which provides the global community with insights into security risks. The OWASP website offers a wealth of information for the security tester and includes many educational resources to help software professionals stay informed, including a Getting Started page, which will help those who are new to the field.
This was first published in April 2013