What is Security Testing?
Security testing checks whether software is vulnerable to cyber attacks, and tests the impact of malicious or unexpected inputs on its operations. Security testing provides evidence that systems and information are safe and reliable, and that they do not accept unauthorized inputs.
Security testing is a type of non-functional testing. Unlike functional testing, which focuses on whether the software’s functions are working properly (“what” the software does), non-functional testing focuses on whether the application is designed and configured correctly (“how” it does it).
Security testing is structured around several key elements:
- Assets—things that need to be protected, such as software applications and computing infrastructure.
- Threats and vulnerabilities – activities that can cause damage to an asset, or weaknesses in one or more assets that can be exploited by attackers. Vulnerabilities can include unpatched operating systems or browsers, weak authentication, and the lack of basic security controls like firewalls.
- Risk—security testing aims to evaluate the risk that specific threats or vulnerabilities will cause a negative impact to the business. Risk is evaluated by identifying the severity of a threat or vulnerability, and the likelihood and impact of exploitation.
- Remediation—security testing is not just a passive evaluation of assets. It provides actionable guidance for remediating vulnerabilities discovered, and can verify that vulnerabilities were successfully fixed.
This is part of an extensive series of guides about application security
In this article, you will learn:
- Types Of Security Testing
- Security Testing Tools
- Security Testing Best Practices
- Security Testing with Bright
Types Of Security Testing
Vulnerability scanning is performed by automated tools. It is used to identify known vulnerabilities in software components, evaluate vulnerabilities to identify the risk to the organization, and assist with remediation.
Penetration Testing (Ethical Hacking)
Penetration testing is the process of stimulating real-life cyber attacks against an application, software, system, or network under safe conditions. It can help evaluate how existing security measures will measure up in a real attack. Most importantly, penetration testing can find unknown vulnerabilities, including zero-day threats and business logic vulnerabilities.
Penetration testing was traditionally done manually by a trusted and certified security professional known as an ethical hacker. The hacker works under an agreed scope, attempting to breach a company’s systems in a controlled manner, without causing damage. In recent years, automated penetration testing tools are helping organizations achieve similar benefits at lower cost and with higher testing frequency.
For example, Bright provides a penetration testing platform powered by artificial intelligence (AI). It automatically scans multiple layers of the IT environment and provides reports on vulnerabilities, including zero-day and complex business logic vulns.
Learn more in our detailed guide to penetration testing (coming soon)
Web Application Security Testing
The goal of web application security testing is to determine whether a web application is vulnerable to attack. It covers a variety of automatic and manual techniques.
Web application penetration testing aims to gather information about a web application, discover system vulnerabilities or flaws, investigate the success of exploiting these flaws or vulnerabilities, and evaluate the risk of web application vulnerabilities.
The Open Web Application Security Project (OWASP) is a community dedicated to discovering and reporting security vulnerabilities in web applications.
Learn more in our detailed guide to web application penetration testing
API Security Testing
API security testing helps identify vulnerabilities in application programming interfaces (APIs) and web services, and assist developers in remediating those vulnerabilities. APIs provide access to sensitive data, and attackers can use them as an entry point to internal systems. Testing APIs rigorously and regularly can protect them from unauthorized access and abuse.
APIs are especially vulnerable to threats like man in the middle (MiTM) attacks, in which attackers can eavesdrop on API communications and steal data or credentials, API injections, in which attackers can inject malicious code to internal systems, and denial of service (DoS), in which attackers flood APIs with fake traffic to deny service to legitimate users.
To mitigate these threats, an API must be verified to have strong authentication of user requests, authorization of users in accordance with the principle of least privilege, encryption of all communication using SSL/TLS, and sanitization of user inputs to prevent code injection and tampering.
Learn more in our detailed guide to API security testing
Security scanning, also known as configuration scanning, is the process of identifying misconfigurations of software, networks and other computing systems. This type of scanning typically checks systems against a list of best practices, specified by research organizations or compliance standards.
Automated configuration scanning tools identify misconfigurations, and provide a report with more details on each misconfiguration, with suggestions how to resolve them.
A security audit is a structured process for reviewing/auditing an application/software according to a defined standard. Audits usually involve reviews of code or architectures in light of security requirements, analyzing security gaps, and assessing the security posture of hardware configurations, operating systems, and organizational practices. It also evaluates compliance with regulations and compliance standards.
Risk assessment allows an organization to identify, analyze and classify the security risks faced by its business-critical assets. A risk assessment can help understand what are the most important threats to an organization’s infrastructure, and prioritize remediation of systems. It can also help with long-term planning and budgeting of security investments.
Security Posture Assessment
A security posture assessment combines security scans, ethical hacking, and risk assessment to identify not only the risks facing an organization, but also its current security controls and how effective they are. It can identify gaps in the current security posture, and recommend changes or improvements that will improve security for protected assets.
Security Testing Tools
Static Application Security Testing (SAST)
SAST tools assess the source code while at rest. The purpose of SAST is to identify exploitable flaws and provide a detailed report including findings and recommendations.
You can run SAST to detect issues in source code, to detect issues such as input validation, numerical errors, path traversals, and race conditions. SAST can also be used on compiled code, but this requires binary analyzers.
Learn more in our detailed guide to SAST
Dynamic Application Security Testing (DAST)
DAST tools examine the application during runtime. The purpose of DAST is to detect exploitable flaws in the application while it is running, using a wide range of attacks.
A DAST tool often uses fuzzing to throw large volumes of known invalid errors and unexpected test cases at the application, trying to detect conditions during which the application can be exploited.
You can run DAST checks to check a wide range of components, including scripting, sessions, data injection, authentication, interfaces, responses, and requests.
Learn more in our detailed guide to DAST
Interactive Application Security Testing (IAST) and Hybrid Tools
IAST tools leverage both static and dynamic testing to create a hybrid testing process. The goal is to determine if known source code vulnerabilities are exploitable during runtime. IAST tools are often employed for the purpose of reducing the amount of false positives.
An IAST tool combines various testing techniques to create multiple advanced attack scenarios, using pre-collected information about the data flow and application flow. Then, the tools recursively perform dynamic analysis.
Dynamic analysis cycles ensure that the IAST tool continues to learn more about the application, according to how the application responds to each test case. Depending on the capabilities of the solution, the tool may use the analysis to create new test cases to gain more insights about the application.
Software Composition Analysis (SCA)
Software Configuration Analysis (SCA) is a technology used to manage and secure open source components. Development teams can use SCA to quickly track and analyze the open source components deployed in their projects.
SCA tools can detect all relevant components, libraries that support them, as well as direct and indirect dependencies. In each of these components, they can identify vulnerabilities and suggest remediation. The scanning process creates a Bill of Materials (BOM) that provides a complete list of the project’s software assets.
Security Testing Best Practices
Here are a few best practices that can help you implement security testing and practice it successfully.
Shift Security Testing Left
With the shift to DevSecOps – closer collaboration between developers, security, and operations teams – organizations are adding security practices earlier in the development process. It is common to integrate security testing tools into the continuous integration / continuous delivery (CI/CD) cycle.
Shifting security testing left can help developers understand security issues and implement security best practices while software is under development. It can also help testers find security issues early before the software goes into production. Finally, operations and security teams can use security testing in production to uncover issues and work with other teams to remediate them.
Test Internal Interfaces, not Just APIs and UIs
Security testing commonly focuses on external threats, such as user inputs from publicly available web forms. However, it is increasingly common for attackers to exploit weaknesses in internal systems. You should use security testing to verify that there are secure interfaces between internal systems, and that insider threats or compromised accounts cannot be used to escalate privileges. This moves your organization closer to a zero trust security model.
Automate and Test Often
While it is important to perform manual security testing, such as full penetration tests or security audits, organizations must automate security testing and perform it frequently—preferably with every change to applications or computing infrastructure.
Enterprise applications use a large number of components that may require security updates or may no longer be supported by software vendors. Test business critical systems often, give high priority to security issues that affect them, and urgently devote resources to fixing them.
Third-Party Components and Open Source Security
Organizations must adopt security testing for third-party code used in their applications, especially open source components.
It is unwise to trust commercial software, and equally important to test open source components, which may require updates or may not be properly secured. You should scan and remediate third-party code just like you would your own, and prioritize updates, remediation, or replacement of unsecure components.
Security Testing with Bright
Bright helps address the shortage of security personnel, enabling AppSec teams to provide governance for security testing, and enabling every developer to run their own security tests.
Bright empowers developers to incorporate an automated Dynamic Application Security Testing (DAST) solution into their unit testing process so they can resolve security concerns as part of their agile development process. Bright’s DAST platform integrates into the SDLC fully and seamlessly:
- Test results are provided to the CISO and the security team, providing complete visibility into vulnerabilities found and remediated
- Tickets are automatically opened for developers in their bug tracking system so they can be fixed quickly
Bright can scan any target, whether Web Apps, APIs (REST/SOAP/GraphQL) and Websockets to help enhance DevSecOps and achieve regulatory compliance with our real-time, false positive free actionable reports of vulnerabilities. In addition, our ML-based DAST solution provides an automated solution to identify Business Logic Vulnerabilities.
See Our Additional Guides on Key Application SecurityTopics
Together with our content partners, we have authored in-depth guides on several other topics that can also be useful as you explore the world of application security.
Learn how to secure application programming interfaces (API) and their sensitive data from cyber threats.
- 12 API Security Best Practices You Must Know
- Top 6 API Security Testing Tools and How to Choose
- WS-Security: Is It Enough to Secure Your SOAP Web Services?
Learn about cross site scripting (XSS) attacks which allow hackers to inject malicious code into visitor browsers.
- XSS Attack: 3 Real Life Attacks and Code Examples
- How DOM Based XSS Attacks work
- The Ultimate Beginners Guide to XSS Vulnerability
Learn about cross site request forgery (CSRF) attacks which hijack authenticated connections to perform unauthorized actions.
- CSRF tokens: What is a CSRF token and how does it work?
- CSRF Attacks: Real Life Attacks and Code Walkthrough
- CSRF vs XSS: What are their similarity and differences
Learn about XML external entities (XXE) attacks which exploit vulnerabilities in web application XML parsers.
- XXE Attack: Real life attacks and code examples
- XXE Vulnerability: Everything you need to know about XXE
- XXE Prevention: XML External Entity (XXE) Attacks and How to Avoid Them
Learn about local file injection (LFI) attacks which allow hackers to run malicious code on remote servers.
- File Inclusion Vulnerabilities: What are they and how do they work?
- LFI Attack: Real Life Attacks and Attack Examples
Learn about how to defend critical websites and web applications against cyber threats.