Security Testing - csactor

Breaking

csactor

computer science , software engineering ,information system and information technology lesson series like data structure and algorithm , computer networking , programming , database , web development , operating system , information system , digital marketing and business study.

Saturday, February 8, 2020

Security Testing


Security Testing


What is security testing


SECURITY TESTING is a form of software testing focused at uncovering device vulnerabilities and ensuring that its data and resources are secure against potential intruders.
Security testing of any system includes finding all potential system loopholes and vulnerabilities that could lead to a loss of knowledge, income, credibility on the part of the Organization's employees or outsiders.
The purpose of security testing is to classify the system's risks and calculate its possible weaknesses so that the system will not fail or be abused.


Basic Security Concept

Confidentiality - This ensures the secret information must be kept confidential. It means that if someone needs some data to be available to some users, then the operating system will have to make the data available to those persons, with no one else being allowed to see that data.Prevents unauthorized release of protected details.

Integrity - Trying to limit unauthorized information modification. Without the permission of the owner, unauthorized users may not change the data. Changing data does not only involve changing or deleting data, but also eliminating data or inserting false data to change behavior.

Authentication - Authorization safeguards critical resources within a network by restricting access to authorized users and their applications only. It prevents the unauthorized use of a resource or the use of a resource in an unauthorized manner.

Authorization - The procedure to decide that a requester is approved to obtain a service or to carry out an activity

Non - repudiation - Non-repudiation is the guarantee that something can't be disputed. Non-repudiation usually refers to the ability to guarantee that a party to a contract or transaction is unable to dispute the validity of their signature on a document or send a message they originated from.


Types Of Security Testing

Vulnerability Scanning - Vulnerability scanning is a security method used in a computer system to detect security vulnerabilities. Vulnerability scanning can be used for security purposes by individuals or network administrators or by hackers trying to gain unauthorized access to computer systems.

Security Scanning - It involves identifying weaknesses in the network and system and providing solutions to reduce these risks later on. For both manual and automated scanning, this scanning can be performed.

Posture Assessment - It integrates vulnerability testing, ethical hacking and risk assessments to illustrate an organization's overall security posture.

Ethical Hacking - It is hacking the software systems of an enterprise. Unlike malicious hackers who steal for their own purposes, the aim is to reveal the system's security flaws.

Penetration Testing - To check for exploitable vulnerabilities, a penetration test, also known as a pen test, is a simulated cyber attack on your computer system. Penetration testing is commonly used in the context of web application security to increase a web application firewall.


How to do Security Testing - Best Practices

Best practices how to help with software testing
Test the Accessibility

 Authentication and authorization requires accessibility.You decide who gets accessibility and how much accessibility an authenticated user is allowed to access.

It helps to keep the data safe from internal and external infringements. You are required to test the roles and responsibilities of people in your company in order to carry out the usability test.


How to Test in Accessibility

The tester is expected to create multiple user accounts with different and multiple roles. Then with the help of these accounts, he should use the application and verify that each role only has access to its own modules, screens, forms, and menus. If the tester detects some disagreement, a security issue should be logged with complete trust.

Test For Malicious Script [Cross Site Scripting]


To hack a website, hackers use XSS and SQL injection. A malicious script is injected into a site system that allows the hacker to access or exploit the website that has been hacked.
A tester will be able to ensure the site's protection against these activities. 
The tester will check the input fields maximum lengths permitted. This restriction does not allow these malicious scripts to be included by a hacker.

Basically, SQL injection testing can be done through the following five ways:


  • Detection techniques
  • Standard SQL injection techniques
  • Fingerprint the database
  • Exploitation Techniques
  • SQL Injection Signature Invasion Techniques

 Test the Error Handling

Error handling includes the errors of 408, 400, 404, and others.
The tester can take direct actions to reach such pages and ensure that no critical data or information is contained on the presented page.
It helps to ensure that all the information presented on error pages is secure and can not benefit the hackers. 
This test also involves stack trace checking, which can help potential hackers crack.


 Session Management

A web session is a series of the same user-linked HTTP request and response transactions. Tests for session management test how the web app manages session management.

You can test for session expiry after specific idle time, session termination after maximum lifespan, session termination after logout, scope and duration of session cookies, testing if multiple simultaneous sessions can be held by a single user




No comments:

Post a Comment