Wednesday, 21 January 2015

What is Security Testing and why it is a difficult task ?

This blog is about security testing and to understand the reason due to which security testing process is difficult to perform. Let's begin the details  of security testing.

Security Testing :
Security testing is the process through which security mechanism of an application are tested to ensure security strength of an application. Here certain activities are performed to identify security based defects, common threats and vulnerability areas in application. These test are performed using automation tools. This practice helps tester to uncover threats and ensure security for critical information, data or transaction details of an application.

Due to increasing complexity in software, transactions, and data access through network, the security testing is becoming important and essential factor. These days, there is an increase in web-based security attacks. Also harmful worms and viruses are spreading through internet protocol.

To prevent these virus attacks, security test needs to be performed for validating and verifying web based system strength to resist security threats or attacks. According to security specialists,  these types of test are difficult to perform. The system have some some security bends using which attackers access system and cause damage to data or system.

Security testing is a crucial task, there are two reasons behind this fact :

1. Security requirements are different from other functionality requirement like safety requirements. Here the requirements specify the opertations or functions which should not occur rather than specifying behaviour or functionality. Commonly, it is not possible to specify such unwanted actions as plain constraints which a system can check with ease.

According to resources availability, one can determine, in principle, that all the functional requirements are met by the system. Irrespective of test implementation, the system can have some security vulnerabilities. A developer can generate functional requirements that are designed to protect system from some known threats. Though, it is difficult to change requirements for unknown attacks.

2. The intruders or attackers are intelligent enough and continuously seeking for vulnerabilities in application or software which they can exploit. They regularly experiment with application system to find things which are slightly different from normal system activities.
For example, in an input field of application, attackers may enter around 1,000 characters with combination of letters, numbers and punctuations. Once on discovering any vulnerability, the attackers can gain access to the system and exploit existing data or information. Thus increases the volume of potential intruders or attackers.

After discovering the guesses of system developers, the attacker then counter these guesses to check the reactions. Attackers can make use of software tools to explore system and find out the possible vulnerabilities which they can exploit. The intruders or attackers spent large amount of time on exploring system vulnerabilities than a test professional who focus on system security testing.


Due to this fact, the static analysis will be helpful for security testing tool. Static analysis helps testers to locate areas of application which include vulnerabilities and errors. The identified threats in static analysis can be fixed or helps tester to identify tests which needs to be performed on system.

To implement a security test on a system, the tester can use experience based testing, formal verification and tool based analysis :

1. Experience based testing : During this testing phase, a proper analysis for known security attacks is to be done. The analysis includes activities like test cases development, source code examination, etc. For example, test application against SQL injection by using SQL commands inputs. Ensure that buffer overflow errors will not takes place by examining all the input buffers of application.

Mainly, this type of verification can be done with the help of tool based verification, in which tool provides information about test implementation. The identified known security issues with their preventive measures are to be listed down including programming and design.

2. Tiger Teams : This is a method of experience based testing in which an external team responsible to identify security flaws, and common threats in an application, is deployed on system to ensure the security strength of application. This external team is known as 'Tiger Team' and the members of this team holds rich security testing experience. They simulate number of attacks on application to discover security weakness of the system.

3. Tool based testing : In this testing method, a number of tools like password checkers are employed to inspect system security. Password checkers recognize insecure passwords like similar name or common letter strings in name. In this testing approach security defects experience is demonstrated in used tool.

4. Formal Verification : Using this methodology, system can be verified against and established security specification. Generally, in other areas, this security method is not used in excess.

Security testing is limited by the available resources and time to test application. This means that a tester needs to adopt risk based testing method for security testing by focusing on significant risks in a system. After analysing the security risks properly, a tester can easily perform test effectively. Also, the security requirement investigation helps tester to break weak areas of application using some alternative testing approaches.

It is quite difficult for end-users to verify system's security. Hence, there are certain standards and sets of security criteria, which an application/software needs to be fulfilled. The certified test professionals test applications to ensure their security strength. A dedicated and thorough evaluation on application is to be performed by the security experts. After then the product is provided with certification for its security strength.