Security testing has become a critical aspect of the quality assurance process. Given the number of malicious actors lurking in cyberspace with an eye on exploiting software vulnerabilities, QA teams must be proactive about identifying and addressing such weak points. Penetration testing is arguably the most helpful form of security testing when it comes to finding and plugging holes in an app's structure and defense. With that in mind, QA leaders should ensure that everyone on their team is well-acquainted with the methodology.
As TechTarget explained, pen tests can actually extend to a large number of tasks, ranging from white-hat-style attacks to tests designed to gauge the security awareness of an organization's employees. For most QA teams, their use of penetration testing will largely be confined to identifying weaknesses in the software itself, rather than organizational protocols.
Types of penetration testing to know
There are a number of strategies that fall under the penetration testing umbrella, representing a lot of ground for QA teams to cover. Some of the most important approaches to know include:
- Internal testing - The goal here is to simulate what would happen if a company's own employee attempted to carry out an attack from within. Although many organizations concern themselves with outside threats, many breaches occur because of someone inside the company itself. Internal testing can help businesses identify weaknesses in their second or third lines of defense, as an insider attack will bypass perimeter safeguards altogether.
- External testing - External testing is perhaps the most widely used form of penetration testing. Here, QA specialists probe application security as an external threat might, finding vulnerabilities in everything from firewall protection to domain name servers.
- Double-blind testing - The benefit of double-blind testing is that it often catches development teams and IT staff by surprise. In many other instances of penetration testing, everyone involved in the software project is aware that the app's security is going to be probed. That's not the case here. True double-blind testing involves notifying only the bare minimum number of people before being carried out. This way, QA teams can determine how the organization and software will actually react in the event of a breach attempt.
Prioritizing pen tests
Even with penetration testing, it's possible for QA teams to miss harmful vulnerabilities and defects in the software. This happens when the testing is focused on identifying smaller bugs that will have little impact on app performance or data integrity if they are exploited. To prevent these types of instances, a report published by IEEE Security & Privacy recommended taking a risk-based approach to penetration testing. QA specialists should look to run risk analyses from the outset of the project and run pen tests based on those findings.
"[A] penetration test must be structured according to perceived risk and offer some kind of metric relating risk measurement to the software's security posture at the time of the test," the report stated. "Results are less likely to be misconstrued and used to declare pretend security victory if they're related to business impact through proper risk management."
Organizations can further support their security testing efforts by implementing a comprehensive test management platform. This way, QA members can share various documents and files with everyone involved, keeping all project stakeholders apprised of security testing progress.