What is Security Testing?
Security testing checks whether software is vulnerable to cyber attacks, and tests the impact of malicious or unexpected inputs on its operations. Security testing provides evidence that systems and information are safe and reliable, and that they do not accept unauthorized inputs.
Security testing is a type of non-functional testing. Unlike functional testing, which focuses on whether the software’s functions are working properly (“what” the software does), non-functional testing focuses on whether the application is designed and configured correctly (“how” it does it).
Main goals of security testing:
- Identify assets—things that need to be protected, such as software applications and computing infrastructure.
- Identify threats and vulnerabilities – activities that can cause damage to an asset, or weaknesses in one or more assets that can be exploited by attackers.
- Identify risk—security testing aims to evaluate the risk that specific threats or vulnerabilities will cause a negative impact to the business. Risk is evaluated by identifying the severity of a threat or vulnerability, and the likelihood and impact of exploitation.
- Perform remediation—security testing is not just a passive evaluation of assets. It provides actionable guidance for remediating vulnerabilities discovered, and can verify that vulnerabilities were successfully fixed.
Key principles of security testing
Security testing aims to ensure that an organization’s systems, applications, and data upholds the following security principles:
- Confidentiality – limiting access to sensitive access managed by a system.
- Integrity – ensuring that data is consistent, accurate, and trustworthy throughout its lifecycle and cannot be modified by unauthorized entities.
- Authentication – ensuring sensitive systems or data are protected by a mechanism that verifies the identity of the individual accessing them.
- Authorization – ensuring sensitive systems or data properly control access for authenticated users according to their roles or permissions.
- Availability – ensuring that critical systems or data are available for their users when they are needed.
- Non-repudiation – ensures that data sent or received cannot be denied, by exchanging authentication information with a provable time stamp.
In this article, you will learn:
- Types Of Security Testing
- Security Test Cases and Scenarios
- Security Testing Approaches
- What Is DevSecOps?
- Data Security Testing
- Security Testing Tools
- Security Testing Best Practices
- Security Testing with Bright Security
Types Of Security Testing
Penetration Testing (Ethical Hacking)
Penetration testing is the process of stimulating real-life cyber attacks against an application, software, system, or network under safe conditions. It can help evaluate how existing security measures will measure up in a real attack. Most importantly, penetration testing can find unknown vulnerabilities, including zero-day threats and business logic vulnerabilities.
Penetration testing was traditionally done manually by a trusted and certified security professional known as an ethical hacker. The hacker works under an agreed scope, attempting to breach a company’s systems in a controlled manner, without causing damage. In recent years, automated penetration testing tools are helping organizations achieve similar benefits at lower cost and with higher testing frequency.
Learn more in our detailed guide to penetration testing
Application Security Testing (AST)
Application security testing describes methods organizations can use to find and eliminate vulnerabilities in software applications. These methods involve testing, analyzing, and reporting on the security posture of a software application throughout the software development lifecycle (SDLC).
The main goal of AST is to prevent software vulnerabilities before applications are released to the market, and failing that, quickly identify and remediate them in production. Successful AST results in more robust, secure source code, greater visibility over application security issues, and improved protection against internal and external threats.
Learn more in the detailed guide to application security
Web Application Security Testing
The goal of web application security testing is to determine whether a web application is vulnerable to attack. It covers a variety of automatic and manual techniques.
Web application penetration testing aims to gather information about a web application, discover system vulnerabilities or flaws, investigate the success of exploiting these flaws or vulnerabilities, and evaluate the risk of web application vulnerabilities.
The Open Web Application Security Project (OWASP) is a community dedicated to discovering and reporting security vulnerabilities in web applications.
Learn more in our detailed guide to web application penetration testing
API Security Testing
API security testing helps identify vulnerabilities in application programming interfaces (APIs) and web services, and assist developers in remediating those vulnerabilities. APIs provide access to sensitive data, and attackers can use them as an entry point to internal systems. Testing APIs rigorously and regularly can protect them from unauthorized access and abuse.
APIs are especially vulnerable to threats like man in the middle (MiTM) attacks, in which attackers can eavesdrop on API communications and steal data or credentials, API injections, in which attackers can inject malicious code to internal systems, and denial of service (DoS), in which attackers flood APIs with fake traffic to deny service to legitimate users.
To mitigate these threats, an API must be verified to have strong authentication of user requests, authorization of users in accordance with the principle of least privilege, encryption of all communication using SSL/TLS, and sanitization of user inputs to prevent code injection and tampering.
Learn more in our detailed guide to API security testing
Vulnerability management is a continuous process that enables an organization to identify, assess, report, manage, and remediate security vulnerabilities across endpoints, workloads, and networks. Security teams typically use vulnerability scanning tools to detect vulnerabilities and implement manual or automatic processes to fix them.
A robust vulnerability management program uses threat intelligence and leverages IT operations knowledge to understand the real business impact of vulnerabilities, prioritize risks, and remediate high priority vulnerabilities as quickly as possible.
Learn more in the detailed guide to vulnerability management
Security scanning, also known as configuration scanning, is the process of identifying misconfigurations of software, networks and other computing systems. This type of scanning typically checks systems against a list of best practices, specified by research organizations or compliance standards.
Automated configuration scanning tools identify misconfigurations, and provide a report with more details on each misconfiguration, with suggestions how to resolve them.
A security audit is a structured process for reviewing/auditing an application/software according to a defined standard. Audits usually involve reviews of code or architectures in light of security requirements, analyzing security gaps, and assessing the security posture of hardware configurations, operating systems, and organizational practices. It also evaluates compliance with regulations and compliance standards.
Risk assessment allows an organization to identify, analyze and classify the security risks faced by its business-critical assets. A risk assessment can help understand what are the most important threats to an organization’s infrastructure, and prioritize remediation of systems. It can also help with long-term planning and budgeting of security investments.
Security Posture Assessment
A security posture assessment combines security scans, ethical hacking, and risk assessment to identify not only the risks facing an organization, but also its current security controls and how effective they are. It can identify gaps in the current security posture, and recommend changes or improvements that will improve security for protected assets.
Security Test Cases and Scenarios
Security testing for authentication systems should include the following:
- Check password rules—test the password security level and quality required by the site.
- Identify username enumeration vulnerabilities—check if the error differs depending on whether there is a user.
- Test password strength—the minimum requirements to create a password.
- Identify account recovery vulnerabilities—check if attacks can recover accounts (i.e., by changing emails or passwords).
- Check username strength—ensure usernames are unique.
- Identify fail-open authentication—check if the system provides open access even when authentication fails.
- Verify cookie scoping—check if cookies are scoped to the domain or if attackers can steal them.
Input validation testing should include the following:
- Fuzz request parameters—check for reflected parameters and open redirection.
- Identify SQL injection vulnerabilities—check if the system handles parameters as SQL.
- Identify SOAP injection vulnerabilities—check if the application responds to SOAP.
- Identify LDAP injection vulnerabilities—test for failure to sanitize inputs.
- Identify XML injection vulnerabilities—check if injected XML impacts the application.
- Identify XXE injection vulnerabilities—check if attackers can inject external entities.
Application and Business Logic
These test cases are important for security testing and require manual intervention (they are too complex to automate, given the uniqueness of each application’s logic). The tests should include the following:
- Determine the application logic attack surface—what the application does.
- Check data transmission from clients—see if information transfers differ between applications.
- Identify input validation on the client-side—check where the application bases its logic.
- Identify logic flaws in multi-step processes—check if bypassing steps is possible.
- Test incomplete input handling—check if the application processes faulty input.
- Check trust relationships—for example, if users can access admin functions.
There are additional miscellaneous tests to help ensure an application’s security and identify the following vulnerabilities:
- DOM vulnerabilities like XSS.
- Lack of HTTP security headers.
- Local privacy vulnerabilities.
- Weak and persistent cookies.
- Weak SSL ciphers.
- URL parameters containing sensitive information.
Security Testing Approaches
Black Box Testing
In black box testing, the security tester evaluates a system’s security from the outside without knowing the internal processes generating responses. A black box is an opaque system, meaning that only the inputs and outputs are observable. In some cases, the tester ignores the system’s internal structure even if it is possible to understand it.
Black box testing ensures a separation between the tester and code creator. It forces the tester to adopt an outsider’s perspective to test the software as an attacker might approach it. The social and technical separation between the test and the software development process enables the tester to challenge the creator – for example, by manipulating the application in a way the developer didn’t consider.
Learn more in the detailed guide to black box testing (coming soon)
White Box Testing
In white box testing, the tester designs test cases and tests based on the software’s source code. The tester knows and understands the code structure instead of black box testing or gray box testing (where the tester has limited knowledge of the code structure). It is also known as clear, transparent, or glass box testing due to this observability.
The white box testing technique focuses on an application’s internal workings and software components to test its design and structure from the inside. Testing teams can apply this technique for system, integration, and unit tests.
Learn more in the detailed guide to white box testing (coming soon)
Gray Box Testing
Gray box testing is a hybrid of white box and black box testing – black box testing involves a test object with an unknown internal structure; white box testing requires the application’s internal structure to be fully known. In gray box testing, the tester has a partial view of the internal structure and workings of the system.
Testers can base their tests on a limited understanding of the application’s underlying architecture and code. The test object is thus semi-transparent or “gray.” This approach combines white box and black box testing techniques to extract the best out of both. Gray box testers merge the code targeting of a white box test with the diverse, innovative approaches of a black box test, such as functional and regression testing. Testers can simultaneously assess the software’s user surface and internal workings.
What Is DevSecOps?
DevSecOps is a software development and project management strategy that merges development, security, and operations processes. It combines these with infrastructure as a code (IaaS) to create automated, continuous delivery pipelines.
The central aim of a DevSecOps pipeline is to enable automation, monitoring, and other security processes implemented throughout the software development lifecycle. It bakes security into each stage, including the planning, development, building, testing, release, delivery, and deployment stages.
Incorporating security into every part of the development process is important for continuous integration (CI) and reduces compliance costs. It also enables teams to deliver secure software faster while reducing the risk of costly bugs and rollbacks. In a DevSecOps framework, every team member shares responsibility for security from the beginning – employees must make informed decisions and consider security at every step.
Learn more in the detailed guide to DevSecOps
Data Security Testing
Data security is a challenging task for most organizations. Most companies spend a significant portion of their security budget protecting sensitive data from attacks. Business data is a core part of most critical business processes, and data breaches can expose organizations to compliance and legal risk, reputational damage, and financial losses.
To secure data, organizations must test their security controls to ensure they meet the organization’s security requirements, as well as compliance with government regulations and industry standards. In many cases, compliance standards explicitly require security testing to prove to auditors that data is properly secured.
Learn more in the detailed guide to data security
Data Security Audits
Organizations should conduct data security audits at least once every few months. This makes it possible to identify risks and weaknesses in data security mechanisms. While audits can be performed by internal security or compliance teams, there is value in contracting third-party auditors or penetration testers. Voluntary audits can discover important security issues and remediate them, before the organization is subjected to a risky, stressful external audit.
The main output of a data security audit is a security report that details weaknesses and missing pieces in the data security model. Efforts must be invested in prioritizing these weaknesses and remediating them to improve data security readiness.
Compliance testing is the process of monitoring and evaluating systems, devices, networks, and cloud environments to ensure compliance with regulatory requirements and industry cybersecurity standards.
Tracking compliance is not always easy, especially in highly regulated industries and sectors. Regulations and standards change often, and can have highly detailed requirements affecting every aspect of the IT environment. Today, most organizations are migrating workloads to the cloud, and the dynamic nature of cloud environments can make compliance more challenging.
Compliance testing can involve tracking sensitive assets, checking for personally identifiable information, and conducting drills or penetration tests to verify that the organization is prepared for a breach. A key part of compliance testing is data discovery and classification—understanding where sensitive data relies, and then confirming that the appropriate security measures are in place.
Learn more in the detailed guide to compliance in the cloud
Cloud Native Security Testing
Cloud native is a collection of design principles and technologies that create applications that can take full advantage of cloud environments. Cloud-native development models, including containerization and serverless computing, aim to increase scalability and elasticity and enable faster development and deployment.
One of the challenges of cloud-native environments is low visibility. A cloud native application can have a large number of moving parts, most of which are ephemeral and short-lived. Cloud-native security testing involves discovering elements of a cloud native application and identifying security weaknesses, such as misconfigurations, missing security best practices, and vulnerabilities.
Two important focus areas of cloud native security testing are container image scanning and infrastructure as code (IaC) scanning. IaC templates are an important attack surface because they are used to automatically create cloud-native resources at scale.
Learn more in the detailed guide to cloud native security
Database Security Testing
Database security involves protecting database servers such as Oracle, Microsoft SQL Server, and MySQL, from unauthorized access and cyberattacks. Databases commonly hold mission critical business information, and so are a valuable target for attackers.
Database security testing aims to test the security posture of key elements of a database including the underlying database management system (DBMS), its hosting server, the data stored in the database, applications connected to the database server, and network infrastructure used to access the database.
An important aspect of database security testing is to check for common database threat vectors such as SQL injection, NoSQL injection, and local file injection (LFI). Database security testing aims to identify security weaknesses in databases and provide actionable insights that can help protect databases from intrusion, misuse, and compromise.
Cloud Data Testing
Cloud testing is the process of testing software applications deployed on cloud computing resources in an infrastructure as a service (IaaS) model, or served by third-party service providers in a platform as a service (PaaS) or software as a service (SaaS) model.
Cloud data testing can ensure optimal data performance, availability, and security, and minimize downtime of the relevant infrastructure or platform.
A central focus of cloud data testing is to ensure that promises made by cloud and SaaS providers are fulfilled. For example, cloud data testing can verify that providers are meeting performance SLAs, test if data is actually replicated to several locations, and verify that disaster recovery processes are functioning correctly.
Security Testing Tools
Static Application Security Testing (SAST)
SAST tools assess the source code while at rest. The purpose of SAST is to identify exploitable flaws and provide a detailed report including findings and recommendations.
You can run SAST to detect issues in source code, to detect issues such as input validation, numerical errors, path traversals, and race conditions. SAST can also be used on compiled code, but this requires binary analyzers.
Learn more in the detailed guide to SAST
Dynamic Application Security Testing (DAST)
DAST tools examine the application during runtime. The purpose of DAST is to detect exploitable flaws in the application while it is running, using a wide range of attacks.
A DAST tool often uses fuzzing to throw large volumes of known invalid errors and unexpected test cases at the application, trying to detect conditions during which the application can be exploited.
You can run DAST checks to check a wide range of components, including scripting, sessions, data injection, authentication, interfaces, responses, and requests.
Learn more in our detailed guide to DAST
Interactive Application Security Testing (IAST)
IAST tools leverage both static and dynamic testing to create a hybrid testing process. The goal is to determine if known source code vulnerabilities are exploitable during runtime. IAST tools are often employed for the purpose of reducing the amount of false positives.
An IAST tool combines various testing techniques to create multiple advanced attack scenarios, using pre-collected information about the data flow and application flow. Then, the tools recursively perform dynamic analysis.
Dynamic analysis cycles ensure that the IAST tool continues to learn more about the application, according to how the application responds to each test case. Depending on the capabilities of the solution, the tool may use the analysis to create new test cases to gain more insights about the application.
Software Composition Analysis (SCA)
Software Configuration Analysis (SCA) is a technology used to manage and secure open source components. Development teams can use SCA to quickly track and analyze the open source components deployed in their projects.
SCA tools can detect all relevant components, libraries that support them, as well as direct and indirect dependencies. In each of these components, they can identify vulnerabilities and suggest remediation. The scanning process creates a Bill of Materials (BOM) that provides a complete list of the project’s software assets.
Security Testing Best Practices
Here are a few best practices that can help you implement security testing and practice it successfully.
Shift Security Testing Left
With the shift to DevSecOps—closer collaboration between developers, security, and operations teams—organizations are adding security practices earlier in the development process. It is common to integrate security testing tools into the continuous integration / continuous delivery (CI/CD) cycle.
Shifting security testing left can help developers understand security issues and implement security best practices while software is under development. It can also help testers find security issues early before the software goes into production. Finally, operations and security teams can use security testing in production to uncover issues and work with other teams to remediate them.
Test Internal Interfaces, not Just APIs and UIs
Security testing commonly focuses on external threats, such as user inputs from publicly available web forms. However, it is increasingly common for attackers to exploit weaknesses in internal systems. You should use security testing to verify that there are secure interfaces between internal systems, and that insider threats or compromised accounts cannot be used to escalate privileges. This moves your organization closer to a zero trust security model.
Automate and Test Often
While it is important to perform manual security testing, such as full penetration tests or security audits, organizations must automate security testing and perform it frequently—preferably with every change to applications or computing infrastructure.
Enterprise applications use a large number of components that may require security updates or may no longer be supported by software vendors. Test business critical systems often, give high priority to security issues that affect them, and urgently devote resources to fixing them.
Third-Party Components and Open Source Security
Organizations must adopt security testing for third-party code used in their applications, especially open source components.
It is unwise to trust commercial software, and equally important to test open source components, which may require updates or may not be properly secured. You should scan and remediate third-party code just like you would your own, and prioritize updates, remediation, or replacement of unsecure components.
Security Testing with Bright Security
Bright Security helps address the shortage of security personnel, enabling AppSec teams to provide governance for security testing, and enabling every developer to run their own security tests.
Brightempowers developers to incorporate an automated Dynamic Application Security Testing (DAST), earlier than ever before, into their unit testing process so they can resolve security concerns as part of their agile development process. Bright’s DAST platform integrates into the SDLC fully and seamlessly:
- Test results are provided to the CISO and the security team, providing complete visibility into vulnerabilities found and remediated
- Tickets are automatically opened for developers in their bug tracking system so they can be fixed quickly
- Every security finding is automatically validated, removing false positives and the need for manual validation
Bright Security can scan any target, whether Web Apps, APIs (REST/SOAP/GraphQL) and Websockets to help enhance DevSecOps and achieve regulatory compliance with our real-time, false positive free actionable reports of vulnerabilities. In addition, our ML-based DAST solution provides an automated solution to identify Business Logic Vulnerabilities.