What is Security Testing?
Normal functional testing ensures software is working towards what the requirements specify. This can assure our customers that their software will perform according to a given list of requirements or specifications. Security testing is a natural extension of negative testing: it is focused on unacceptable inputs and whether these inputs are likely to create significant failure in regards to the given requirements of the product under test.
Introduction
As an increasing amount of new and existing services are provided over the Internet, more and more security intrusions have been occurring in sectors such as online banking, online gaming and political email accounts. The growing connectivity of computers through the Internet has increased both the number of attack vectors and the ease with which an attack can be made, putting software at great risk. People, businesses, and governments are increasingly dependent on network-enabled communications such as e-mail or web pages provided by information systems. As these systems are connected to the Internet they become vulnerable to software-based attacks from distant sources. Because access through a network does not require human intervention, launching automated attacks is easy.
In the past few years, there have been well-documented intrusions of many online software systems. Whether it’s for political reasons (Anonymous/WikiLeaks) or for theft (Sony PlayStation Network), hacking into popular online services has definitely increased in the last year or so, to the point where hearing about them is no longer rare in national and even international news.
Basic Information Security Terms
- Asset – Anything that has value to an organization, subject to many kinds of threats. [ISO/IEC 13335-1:2004]
- Threat – A potential cause of an unwanted incident, which may result in harm to a system or organization. [ISO/IEC 27001:2005]
- Vulnerability – Defined as a weakness of an asset or group of assets that can be exploited by one or more threats. [After ISO/IEC 27001:2005]. Vulnerabilities can be found in software, information systems, network protocols and devices, etc. If vulnerability is not managed, it will allow a threat to materialize. Examples of vulnerability include unpatched software, weak passwords, lack of access control, no firewall installed, etc.
- Risk – The potential that a given threat will exploit vulnerabilities to cause loss or damage to an asset or group of information assets and thereby cause harm to the organization. It is measured in terms of a combination of the probability of an event and the severity of its consequences.
- Information security– the preservation of confidentiality, integrity and availability of information; in addition, other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved. [ISO27002:2005] Industrial espionage is unauthorized collection of confidential, classified or proprietary documents.
Top 10 Vulnerabilities
- Injection Flaws (SQL, OS and LDAP Injection)
- Broken Authentication and Session Management
- Cross Site Scripting (XSS)
- Insecure Direct Object Reference
- Security Misconfiguration
- Sensitive Data Exposure
- Missing Function Level Access Control
- Cross-Site Request Forgery (CSRF)
- Using Components with Known Vulnerabilities