Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

What does "security testing" of my application actually mean?

What does a manager mean by "security testing"? In this response, expert Pete Walen offers insights into the broad category of application security testing and also recommends asking for clarification about the needs for your specific project.

My manager told me that my next project will involve security testing. I’ve never done that before. Does she mean that I’m supposed to test our application and make sure that people see only the data they are supposed to see? I looked online and I am not sure what to do. Can you tell me what my manager means? 

I think there are several questions in this one. First, what you describe about people only seeing the data they are supposed to see is closer to functional testing of your application than what I would normally describe as “security testing.” Depending on the nature of your application, some aspects of functional testing may involve some form of security testing. However, I don’t consider them to be parallel most of the time.

There is a good starting point for people new to the realm of security testing. It is a great website that I turned to the first time I was told, “Do some security testing for this,” by my boss. If you visit the Open Web Application Security Project site, you will get a good foundation for what security testing is. 

Depending on the nature of the application you are testing, there may be some regulatory concerns that you will need to consider. For example, if you are dealing with electronic payments and payment cards, you may need to be aware of the PCI-DSS standards. 

I suggest to people that guidelines and standards like that are starting points. While the auditors may be satisfied, I suspect that most auditors are less aggressive than most “bad guys” are. Many auditors may run down their check list and if you cover the points on their checklist, then you pass. However, the “bad guys” may not have the same check list the auditors do. 

That means these checklists are the minimum -- the starting point. From there, you must get creative. How you get creative with your application will come with experience. Do not be afraid to try different approaches; a big part of being a tester is finding the best way to identify weaknesses and correct them.

Now, as to the other aspects in your question, how these ideas need to be implemented and how the tests need to be set up and run will depend very much on the nature of the system under test. There is not a single map or template that covers these ideas adequately for every situation.   

As for what exactly the manager means, I do not know. I would suggest talking with her and asking what she means. Explain that there are some possibilities you could look into testing and ask her if these are the factors she had in mind when she mentioned security testing. 

Dig Deeper on Topics Archive

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.