security testing


Published on

Owing to the ever changing business dynam-ics, more and more organizations are shifting to the web. This shift is not just customer cen-tric but internal as well. In terms of customer, be it business to business or business to cus-tomer, everything is being nearly transacted via web. Even from internal infrastructure perspec-tive companies are shifting to cloud, taking SaaS model etc. to ease their operations and availability.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

security testing

  1. 1. 360logica Software Testing Company White Paper A White Paper on Security TestingUpdated: 24-03-2012 |
  2. 2. 360logica Software Testing Company White PaperIntroduction taking security measures one has to think from intentional perspectives as well. A person whoOwing to the ever changing business dynam- has written a code himself can be at loss inics, more and more organizations are shifting testing/verifying the code from the view point ofto the web. This shift is not just customer cen- finding “loop holes”. One has to think from in-tric but internal as well. In terms of customer, tentional perspective or popularly ethicalbe it business to business or business to cus- Hacker’s perspective.tomer, everything is being nearly transacted viaweb. Even from internal infrastructure perspec- The independent testing firms with expertise intive companies are shifting to cloud, taking niche skill domain can come in very handy inSaaS model etc. to ease their operations and making a service or product robust. With theavailability. varied pool of talent and the right mix of ap- proach the testing firms can provide the essen-In all this dynamics the security becomes an tial or fix the points where an application canutmost factor to be considered. Looking at the be toyed with.delicacy of web security measures a firm is tak-ing, independent testing firms came into the Software Testing in Various Develop-picture. This shift leaves firms vulnerable to ment Methodologiesunexpected security threats. It is also collectiveeffort of the service providers, cloud service Waterfall model has been in usage from someproviders to ensure security and integrity of an time. Normally the flow in the model is as fol-enterprise is maintained. lows:Need of Independent Testing Firms System Feasibility → Requirement Analysis → System Design → Coding and Unit Test-The product or service in its inception is devel- ingoped keeping in view the expected results orcriteria which it is intended to be put to use. In this phase, the actual coding is done for theThe user is also expected to use the applica- various modules. Generally the coder himselftion in a particular fashion but the case is al- reviews the code and individually test the func-ways not the same. Today with the advance- tionality of each module.ment and availability of technology the end Integration and System Testing. In thisuser is quite versatile and sometimes mischie- phase, integration of all the modules in the sys-vous in a manner of speaking. tem is done and testing is done of the entireThe breach in security of web-site or as a mat- system, making sure that the modules meet theter of fact any application/service can be inten- requirements.tional as well as non-intentional. As a provider Deployment and maintenance. In this phase,of service/product we can pray for the user to the software is deployed in the production envi-use it in the desired manner but one has to be ronment. One can rectify any errors that areprepared for the unexpected use also. While | 2
  3. 3. 360logica Software Testing Company White Paperidentified in this phase, and tweak the function- taking the manual approach to rectify the endality based on the updated requirements. results. In this scenario the manual tester is preferred who has the expertise over the re-Agile Model quired domain.The key differences between agile and tradi- Conclusiontional methodologies are as follows: With the advancement of more and more peo-Software is developed in sprints or short con- ple shifting to web based applications, whichtinuous cycles. The result is in chunks, small definitely makes life and work easy one has toreleases, with each release adding up to previ- take care of threats which comes with theous functionality. Each release is thoroughly package.tested, which ensures that all issues are ad-dressed in the next process. In the end system Threats are not just for the consumer but fortesting is done to ensure the complete security the enterprises as well. Common threats canas per the requirement. be like Web-based attacks, Social phishing, Malicious data loss etc. One has to take care ofManual vs. Automated Testing prevention mechanism rather than responsiveManual testing though very useful for checking mechanism.the nuts and bolts of the code written but maylack in scanning the entire module on a com-prehensive note.Automated testing, owing to its comprehensivenature is quite good in identifying the threatsand when coupled with manual testing it canprove to be very beneficial.A code may be tested by various techniqueslike SQL injection, code injection, remote codeinclusion and cross-site scripting; an auto-mated tool can come in handy to automatetesting of these techniques but an experiencedtester can prove more valuable who along withhis “out of the box thinking” can test the appli-cation by subjecting it to unexpected attacks.The best practices would facilitate tweaking thescript of Automation tool (IBM Ad Scan, Peros,QA inspect, etc.) depending upon the technicalrequirement of the code to be tested and then | 3