Maksim Kabakou - Fotolia


Security testing basics: Fending off hackers and crackers

It's critical to apply security testing into your app, as cybersecurity affects everyone. Testing before production can help prevent attacks. Expert Gerie Owen explains further.

Cybersecurity -- we hear about it every day, whether it's another major security breach in the news or a new security initiative within your our own organization such as a directive to change your password more frequently. We may have been impacted personally by fraudulent credit charges or identity theft, or know someone who has. Cybersecurity affects everyone, both personally and professionally.

Although everyone in the organization is responsible for cybersecurity at some level, security testing is critical. Many organizations believe that they can apply security in production, but we've seen time and again that vulnerable applications will get attacked. We have to build in security and test it prior to production. Whether you have an understanding of security testing basics or not, all testers should include high-level security test scenarios in test plans. Testers, welcome to the world of hackers and crackers, the brave new world of security testing.

Hackers, crackers and attacks

The first lesson of security testing basics is to understand the attackers, the most common types of attacks and how they happen. Testers, meet the hackers and crackers. Hackers are people who gain unauthorized access to an application. Their motives vary from malicious to mere curiosity and bragging rights. Hackers who are hired to determine if the application can be breached are often called ethical hackers. Crackers are malicious hackers who break into an application to steal data or cause damage.

The most prevalent types of attacks are State Sponsored Attacks, Advanced Persistent Threats, Ransomware and Denial of Service. State-sponsored attacks are penetrations perpetrated by foreign governments, terrorist groups and other outside entities. Advanced Persistent Threats are continuous attacks aimed at an organization, often for political reasons. Ransomware locks data and requires the owner to pay a fee to have their data released. Denial of Service makes an application inaccessible to its users.

Some of the usual means by which hackers and crackers attack are through SQL injection, cross-site scripting, URL manipulation, brute force attacking and session hijacking. Using SQL injection, an attacker manually edits SQL queries that pass through URLs or text fields. Cross-site scripting involves adding a JavaScript, ActiveX or HTML script into a website on the client side in order to obtain clients' confidential information. With URL manipulation, a hacker attempts to gain access by changing the URL. Brute force attacking requires automation and is used to obtain unauthorized access by trying large numbers and combinations of user identifications and passwords. Finally, hackers use session hijacking to steal the session once a legitimate user has successfully logged in.

What is security testing?

Security testing is validating that an application does not have code issues that could allow unauthorized access to data and potential data destruction or loss. The goal of security testing is to identify these bugs, which are called threats and vulnerabilities. Some of the most common types of security testing include vulnerability and security scanning, penetration testing, security auditing and ethical hacking.

Vulnerability scanning is an automated test where the application code is compared against known vulnerability signatures. Vulnerabilities are bugs in code that allow hackers to alter the operation of the application in order to cause damage. Security scans find network and application weaknesses, and penetration testing simulates an attack by a hacker. Security auditing is a code review designed to find security flaws. Finally, ethical hacking involves attempting to break into the application to expose security flaws.

The challenges of security testing

Security testing requires a very different mindset from traditional functional and nonfunctional testing. Rather than attempting to ensure the application works as designed, security testing is attempting to prove a negative -- i.e., that the application does not have vulnerabilities. Security vulnerabilities are very difficult bugs, both to find and to fix. Often, fixing a security vulnerability involves design changes, and, therefore, it is important to consider security testing in the earliest possible phases of the project.

Although security testing requires automation and specialized skills, all testers can contribute effectively to security testing. There are several areas in which testers can incorporate security testing into their functional testing. These include logins and passwords, roles and entitlements, forward and backward navigation, session timeouts, content uploads and tests involving financial or any type of private information. Simple tests such as ensuring passwords are encrypted, validating that the user is locked out after three invalid password attempts and that the user is timed out after the required number of minutes of inactivity are easy ways of spotting security vulnerabilities.

Testers, if you are interested in going beyond security testing basics, start by learning to use security testing scanners and tools. As security testing becomes increasingly more important, the need for specialists in this area is great. However, it is critical for all testers to support security testing by incorporating security scenarios in our test plans. Our organizations depend on us to employ our skills through which we think like a user. Testers, let's embrace this brave new world and think like hackers.

Next Steps

Improve your app's security after an attack

Uncovering bugs in Web-based application through security testing

Dynamic versus static application security testing

Dig Deeper on Topics Archive