Saturday, June 16, 2007

Security Testing Strategy

Software Testing -

Brief Introduction To Security Testing

Security testing is an important process in order to ensure that the systems/applications that your organization is using meet security policies and are free from any type of loopholes that can cause your organization a big loss.


Security Testing of any developed system (or a system under development) is all about finding out all the potential loopholes and weaknesses of the system, which might result into loss/theft of highly sensitive information or destruction of the system by an intruder/outsider. Security Testing helps in finding out all the possible vulnerabilities of the system and help developers in fixing those problems.
Need of Security Testing
  • Security test helps in finding out loopholes that can cause loss of important information and allow any intruder enter into the systems.
  • Security Testing helps in improving the current system and also helps in ensuring that the system will work for longer time (or it will work without hassles for the estimated time).
  • Security Testing doesn’t only include conformance of resistance of the systems your organization uses, it also ensures that people in your organization understand and obey security policies. Hence adding up to the organization-wide security.
  • If involved right from the first phase of system development life cycle, security testing can help in eliminating the flaws into design and implementation of the system and in turn help the organization in blocking the potential security loopholes in the earlier stage. This is beneficial to the organization almost in all aspects (financially, security and even efforts point of view).
Who need Security Testing?
Now a day, almost all organizations across the world are equipped with hundreds of computers connected to each other through intranets and various types of LANs inside the organization itself and through Internet with the outer world and are also equipped with data storage & handling devices. The information that is stored in these storage devices and the applications that run on the computers are highly important to the organization from the business, security and survival point of view.

Any organization small or big in size, need to secure the information it possesses and the applications it uses in order to protect its customer’s information safe and suppress any possible loss of its business.

Security testing ensures that the systems and applications used by the organizations are secure and not vulnerable to any type of attack.



What are the different types of Security Testing?
Following are the main types of security testing:
  • Security Auditing: Security Auditing includes direct inspection of the application developed and Operating Systems & any system on which it is being developed. This also involves code walk-through.
  • Security Scanning: It is all about scanning and verification of the system and applications. During security scanning, auditors inspect and try to find out the weaknesses in the OS, applications and network(s).
  • Vulnerability Scanning: Vulnerability scanning involves scanning of the application for all known vulnerabilities. This scanning is generally done through various vulnerability scanning software.
  • Risk Assessment: Risk assessment is a method of analyzing and deciding the risk that depends upon the type of loss and the possibility/probability of loss occurrence. Risk assessment is carried out in the form of various interviews, discussions and analysis of the same. It helps in finding out and preparing possible backup-plan for any type of potential risk, hence contributing towards the security conformance.
  • Posture Assessment & Security Testing: This is a combination of Security Scanning, Risk Assessment and Ethical Hacking in order to reach a conclusive point and help your organization know its stand in context with Security.
  • Penetration Testing: In this type of testing, a tester tries to forcibly access and enter the application under test. In the penetration testing, a tester may try to enter into the application/system with the help of some other application or with the help of combinations of loopholes that the application has kept open unknowingly. Penetration test is highly important as it is the most effective way to practically find out potential loopholes in the application.
  • Ethical Hacking: It’s a forced intrusion of an external element into the system & applications that are under Security Testing. Ethical hacking involves number of penetration tests over the wide network on the system under test.

(Please Note: The above given list of security types is based on the Open Source Security Testing Methodology Manual of Pete Herzog and the Institute for Security and Open Methodologies - ISECOM)

The best way to ensure security is to involve the security related assessments, audits and various types of testing right from the first phase of system development. The level and form of processes used in security testing of any system varies depending upon the phase, condition and type of system under testing.