Curso de QA da He4rt Developers

# Security Testing

Security testing is a type of software testing that discovers vulnerabilities, threats, and risks in a software application, preventing intruder attacks.

The purpose of security testing is to identify all possible gaps and weaknesses in the system that may result in the loss of information, profits, and reputation in the hands of employees or outsiders of the organization.

Once identified, vulnerabilities are verified so that the system continues to function and cannot be exploited.

# Key Principles of Security Testing

  • Confidentiality: Limiting access to sensitive data managed by a system.
  • Integrity: Ensuring that data is consistent, accurate, and reliable throughout the software lifecycle and cannot be modified by unauthorized users.
  • Authentication: Verifying that sensitive data or systems are protected by a mechanism that verifies the identity of the user accessing them.
  • Authorization: Defining that all sensitive data and systems have access control for authenticated users according to their roles or permissions.
  • Availability: Ensuring that critical data and systems are available to their users when needed.
  • Non-Repudiation: Establishing that a sent or received data cannot be denied when exchanging authentication information with a demonstrable timestamp.

# Types of Security Testing

Types of Security Testing

  • Vulnerability Scanning: Done through automated software to explore the system for vulnerability signatures.
  • Security Scanning: Involves identifying weaknesses in the network and system, providing solutions to reduce these risks. This scan can be applied manually or automatically.
  • Penetration Testing: Simulates malicious hacker attacks. Here, the analysis of a particular system is involved to check potential vulnerabilities to external attacks.
  • Risk Assessment: This technique involves analyzing security risks observed within the organization. Risks are then classified as low, medium, and high. This test recommends controls and measures to reduce risks.
  • Security Audit: Internal inspection of applications and Operating Systems for security flaws. An audit can also be done line by line in the code.
  • Ethical Hacking: The process of hacking an organization without malicious intent but rather to expose and fix system security risks.
  • Posture Assessment: This combines security scanning, ethical hacking, and risk assessment to demonstrate the overall security posture of an organization.

# How to Perform Security Testing

It is a consensus that the earlier security tests are applied, the better the results for the project.

Security Testing Workflow

  • Requirements: Security analysis on requirements, checking for abuse/misuse cases.
  • Design: Security risk analysis in the design, development of a test plan that includes security testing.
  • Code and Unit Testing: Static and dynamic tests, as well as white-box security testing.
  • Integration Testing: Black-box testing.
  • System Testing: Black-box and vulnerability scanning.
  • Implementation: Penetration testing, vulnerability scanning.
  • Support: Impact analysis of patches.

The test plan should include:

  1. Security-related test cases and scenarios.
  2. Test data related to security testing.
  3. Necessary testing tools for the application.
  4. Analysis of test outputs from different tools.

# Examples of Test Scenarios

  • A password should be encrypted.
  • Application or system should not allow invalid users.
  • Check cookies and session time for an application.
  • For financial websites, the back button in the browser should not work.

# Security Testing Methodologies/Approaches/Techniques

  • Tiger Box: This hacking method is usually done on a laptop that has a collection of operating systems and hacking tools. This test helps penetration testers conduct vulnerability assessments and attacks.
  • Black Box: The tester is authorized to perform tests on everything about network topology and technology.
  • Grey Box: Partial information is provided to the tester about the system; it is a hybrid.

# Roles in Security Testing

  1. Hackers: Access computer systems or networks without authorization.
  2. Crackers: Force entry into systems to steal or destroy data.
  3. Script Kiddies or Packet Monkeys: Inexperienced hackers with programming languages.

# Security Testing Tools

Here are some security testing tools:

  1. Acunetix (opens new window)
  2. Intruder (opens new window)
  3. Owasp (opens new window)
  4. WireShark (opens new window)
  5. W3af (opens new window)

โ† Accessibility Testing โ†’