Most of us use the internet on a daily basis. As the number of internet users continues to grow, more personal and sensitive information is collected - information that firms need to protect. From online banking and ordering food to calling a cab, paying bills, and booking hotels, our lives are highly plugged-in. With this, the onus is placed on the organizations providing these services to ensure that their users' information is secure. Additionally, companies must be compliant with established laws and regulations mandating the safekeeping of customer data.
What options are available to ensure this safekeeping? With a wide array of security testing, let's examine how different types of software testing can help organizations achieve security goals.
When Do I Need Security Testing?
Software security testing is a type of security testing that aims to reveal loopholes and weaknesses in the security mechanism of applications and systems. When these weaknesses are exploited, the results could include:
- Information loss
- Monetary loss
- Damage to reputation
- Customer dissatisfaction
- Life risk
Conducting a security assessment is a must if an organization wants to ensure that their customers gain and retain their trust. The prime objective of security testing initiatives is to determine whether an application's data and resources are protected from potential intruders and if the application is vulnerable to common and sophisticated attacks.
What Does Security Testing Consist Of?
Security testing not only refers to testing the end product for security issues. It also ensures that plenty of proactive assurance techniques are being built in from the beginning of software development. A good security testing practice accounts for security assurance activities such as penetration testing, code review, and architecture analysis as integral elements of the development effort.
A security assessment normally starts by ensuring that the application includes the following attributes:
While security verification (i.e., testing) is an identified phase within the software development lifecycle (SDLC), it should be followed throughout the development process. Here's how to ensure your firm is including security throughout development and implementing critical attributes.
What Services Can Help My Firm Meet Security Goals?
Architecture Risk Assessment
Any piece of software's development begins with its architecture. A risk assessment should take place on the architecture to make sure security is included from the very beginning. Here are three strategies to enforce early security involvement:
- Threat modeling identifies a system's major software components, threats, security controls, assets, and trust boundaries. Together these describe the attack surface. Analysts identify where:
- Design violates security design patterns.
- System omits security controls.
- Security controls suffer from misconfiguration, weakness, or misuse.
- Architecture risk analysis (ARA) conducts a thorough review of the software design using the following types of analysis:
- Attack resistance analysis
- Underlying framework analysis
- Ambiguity analysis
Architecture risk analysis also often includes verification of architecture flaws through source code analysis or penetration testing.
- A security architecture survey (SAS) evaluates an application’s design and deployment to determine whether it conforms to industry best practices. The results of a SAS are often used for compliance purposes or to drive additional security activities. The goal of the survey is to identify common architecture and design flaws.
Once the architecture is laid out, developers and engineers can benefit from a developer-friendly static analysis tool which can be easily integrated into the SDLC and allows the developer to deliver better software, faster. This is also referred to as static application security testing (SAST) and can provide remediation advice earlier in the life cycle, helping resolve vulnerabilities before they become a costly, time-consuming mistake.
Written code can also be scanned with static analysis tools to offer an additional depth to the secure code review processes. Thus, finding and eliminating common and critical software security vulnerabilities within the source code.
Application Security Testing
When an application is ready for quality and assurance testing, it's also ready for security testing. Dynamic application security testing (DAST) is a security scan that uses automated tools to identify common vulnerabilities within running web applications or web services - without the need for source code. This solution is ideal for internally-facing, low-risk applications that need to comply with regulatory security assessments. It can also be used for externally-facing applications; however, using DAST alone will not be sufficient.
Based on the type of application, organizations can also choose from the following manual penetration testing options. Each include client-side and server-side testing capabilities. These assessments can be white box (accompanied by source code), black box (testing without access to source code), or gray box (with some information - like configuration files - but without complete access to source code). Additionally, the duration and depth of analysis can be coordinated on a case by case basis.
- Web application security penetration test. The application is written in one of the popular languages. Frameworks are tested for possible injection points and common vulnerabilities.
- Mobile application penetration test. This includes the testing of applications written for the most popular mobile operating systems such as iOS, Android, Windows, and Blackberry.
- Thick clients (desktop) application penetration test. Testing of the application written for desktop consumption.
Infrastructure Security Testing
The infrastructure is often considered to be one of the most important aspects of maintaining software security. An unpatched piece of software risks exploitation. Leaking sensitive information can, as you probably well know, cause great monetary loss to a firm. Infrastructure testing assists the organization, ensuring that the network is equipped to withstand such issues through the following approaches:
- Network security penetration testing employs automated scanning and a manual testing checklist including test cases for encrypted transport protocols, SSL certificate scoping issues, use of administrative services, etc. Additionally, manual checks are conducted that are not normally found with automated testing. For example, vulnerabilities related to complex routing paths, access control configurations, business logic, and any functionality that is available through the exposed network services.
- Wireless penetrating testing. This engagement is carried out on the client-side with the assessor having access to the wireless network and covers configurations, wireless encryption standards, authentication, etc.
- Secure build of configuration review. This review ensures that the hosts have been properly hardened and patched. Permissions policies, password policies, and security settings are also tested. This can be included as a part of the network and wireless security test.
- Red Teaming. A combination of network, physical and social engineering techniques. It is used to assess an organization's security with the client's staff not being made aware of it. It also allows an organization to analyze its employees' security awareness and its own readiness against a real-world breach attempt.
Cloud Security Review
Cloud security is becoming essential as more and more companies deploy their infrastructure on cloud services like AWS, Azure, and Google Cloud. A cloud security assessment starts with an understanding of the application's business and technical context via document review and interviews with key stakeholders. Next, the application's configuration is reviewed for security gaps, focusing on in-scope services and regions.
Embedded security is different from other software testing methods as it is typically specialized for the particular hardware that it runs on. The testing of the embedded system includes firmware analysis and hardware security testing. Industries dealing in medical devices, automotive, and avionics commonly utilize embedded devices.
Summing it Up
Building reliable software is the usual axiom of software companies. This also means that the application can protect the data that it handles. There are quite a few options to choose from for security testing. Organizations should strive to understand the kind of security testing that they can benefit from. They should also attempt to prioritize efforts to achieve the level of security required for their industry (at the very least).