The most important question you have to answer is: What are we trying to accomplish here? Do you need an all out...
assessment so you can sleep at night knowing your customers have gotten the most secure application from your team? Or, are you trying to meet some basic minimum security standards from a customer, business partner, or regulatory body such as those mandated by the PCI Standards Council?
The main areas to test center around user access, data input, and system configuration. Look at all of these areas from the perspectives of both untrusted outsiders (without authentication) and trusted insiders (with authentication). A combination of good vulnerability scanners, source code analyzers, and manual analysis across these main areas will serve to uncover the security flaws that matter in your environment - especially if you already have a documented set of requirements and standards upon which the application was built.
Dig Deeper on Software Quality Resources
Related Q&A from Kevin Beaver
Android Oreo replaced the allow unknown sources setting with a new feature that enables users to selectively install unknown apps. Kevin Beaver ... Continue Reading
Equifax's Apache Struts vulnerability was an example of a scan not being read correctly. Kevin Beaver explains vulnerability scans and how issues can... Continue Reading
Several vulnerabilities were recently discovered in Android bootloaders via the BootStomp tool. Kevin Beaver explains how they work and what risk ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.