Yahoo! recently confirmed that a massive data breach occurred to their system in late 2014 and due to that at least 500 million users account information may have been hacked. The statement by Yahoo spokes-person states that the account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers.
Another news from the USA, the American security agencies recently found that hackers are trying hard to penetrate the voter registry database to get the confidential information, as the election is round the corner. Though they are not yet able to penetrate the system.
You may have heard many such instances of cyber-security breach to add to the list. These are really very shocking and alarming news for the users as well as for companies who built and maintained those applications. That is the reason why security testing is becoming the talk of the town to prevent the software applications from those evil eyes.
While doing the testing of an application we normally focus on functional and performance testing. Assume that security testing is required for the banking and financial applications which have monetary transactions involved, and not for the normal applications. That’s a myth; infact security testing is not only preventing the financial loss but also protecting the useful data to slip onto the wrong hands of the hackers.
Security testing enables us to find out the loopholes and vulnerabilities in the system which can cause big loss to the organizations.
The threats and weaknesses of the system should be identified and fixed to protect the valuable data of the applications.
While performing the security testing, some of the basic things we should keep in mind that –
Authorization − Only the authorized users have the access to the application
Authentication − Authenticate the input data, bogus or malicious data should be restricted
Confidentiality − Data confidentiality should be intact and protected
Integrity − Data integrity should not be changed during communication
Nonrepudiation − The sender and receiver cannot deny that the data has been sent and received
It is not that, we will only think about security testing at the testing phase of the project cycle. In fact, we should plan it much before, right from the requirement analysis phase.
Perform security analysis at the requirement stage, and prepare the related scenarios, test data and test cases
Include time for security testing in your Test Plan, Project Schedule, and also find the tools to perform the security testing
Whether you are already doing security testing by using some established tools or thinking to buy a new one, but still you can perform some bare minimum checks. Some of the basic checks you can do without the help of any such big tools, such as −
Basic user credential validation check, invalid users should not trespass the system
The passwords across the applications should be in encrypted format
In some applications the “right click” and “back button” press is not allowed. check them
Verify that the sessions should time out when the user is inactive for a certain time period
In case of web application, you can use the built-in developer tools of your browsers to check the source and styling elements of the application
Using the developer tools, you can check the sent requests and whether your browsers allows to manipulate inline codes
By using the in-built plug-in and extensions, you can test your web application by manipulating data, HTTP requests and other aspects to ensure the security of your web application.
The most common question comes to our mind when we discuss about the security testing is that, who will do this? I think it is not like belling the cat; any tester can perform this provided he has therequired knowledge and should be aware of various aspects of security testing.
There are also legitimate hackers or called ethical hackers, whom the company gives authority to find out the loopholes by hacking their websites.
Recently Google has announced “Project Zero” contest, invites hackers to participate in the Android hacking contest to find out the security loopholes, and the winner of 1st prize will get a whopping $200,000 in cash.
Let’s have a look on some of the popular open source security testing tools.
Vega – It is an automated vulnerability scanner and testing tool to test the web application. It detects the vulnerabilities like SQL injection, header injection, cross-site scripting etc. It is available for Linux, OS X and Windows platforms.
Grabber – It is a simple tool to detect vulnerabilities of web application with no GUI interface. It can detect vulnerabilities of Cross-site scripting, SQL injection, Ajax testing, File inclusion, JS source code analyzer, Backup file check.
ZED Attack Proxy – Also known as ZAP, this tool works with Windows, Unix/Linux and Macintosh platforms. This is one of the most useful tools to perform penetration testing of web applications.
Netsparker – It is a false positive free security scanner tool for web applications. It can also detect many vulnerabilities such as SQL injection, URL manipulation, cross-site scripting, brute force attacks etc. It supports Ajax and Java script based application.
There are many more tools available in the market. You can choose the best one as per your requirements. There are hackers sitting in different corners of the world trying day and nights to steal your valuable data available over the internet. So, security testing is the need of the hour to ensure that your application is well protected from data theft, unauthorized access and overall security vulnerabilities.
Taking the quotes of respected Mr. Benjamin Franklin- “An ounce of prevention is worth a pound of cure”, so it’s better to perform the security testing now rather then taking actions when any incidents occur.