Testing Software Application for security vulnerabilities can be exciting. There are neat tools and interesting ways you can make a web application hiccup, crash or otherwise give out information you shouldn’t be able to see. As fun as it may be, testing your web application security is also something that needs to be taken seriously. The best way to be successful is to prepare in advance and know what to look for. 360logica provides essential elements checklist to help you get the most out of your software application security testing.

Some of the issues involved in testing the various interfaces through which software communicates with its environment include:

  • Identification of architectural, design, and implementation risks
  • Risk-driven test creation
  • Dependency attacks
  • User Interface attacks
  • File system attacks
  • Design attacks
  • Implementation attacks
  • Penetration testing
  • Static vulnerability scanning
  • Test coverage
  • Test depth analysis

Security test activities are primarily performed to validate a system’s conformance to security requirements and to identify potential security vulnerabilities within the system. From a business perspective, security test activities are often conducted to reduce overall project costs, protect an organization’s reputation or brand, reduce litigation expenses, or conform to regulatory requirements.

Part of software testing involves replicating customer use cases against a given application. These use cases must be documented in a test plan during the quality assurance phase in the development cycle to act as a checklist ensuring common use cases aren’t missed during the testing phase. People within the quality assurance community are starting to understand that checking an application for security issues (defects) isn’t just the responsibility of the security department (if one exists), or the software architects. While typical QA Engineers don’t understand the scope or inner working of specific software vulnerabilities, they do go about testing an application in a similar fashion to how the penetration testing community does. Unlike typical penetration testing QA has access to internal documents and insider information giving them advantages to aide in the testing of an application. In addition to documenting customer use cases it’s important to begin the process of documenting what an attacker may attempt against your application as well and incorporating these attacker ‘use cases’ into a security section of your standard test plan.

360logica security/penetration testing offerings (360view):

Test Process:

  • Gathering information
  • Researching vulnerabilities
  • Performing the tests

Security Testing Techniques:

  • Identify Application Input
  • Identify Application Output
  • Installation and deployment
  • Fuzz testing (sql injection)
  • HTML filtering
  • Cross site scripting and test
  • Brute force method
  • Network scanning
  • Vulnerability Scanning
  • Password Cracking
  • Integrity Checkers
  • Virus Detection
  • War Dialing
  • Penetration Testing

Client vs. Server Testing:

  • Workstation penetration testing
  • LAN and WAN based penetration testing

Internet Based Application Vulnerabilities:

  • Email servers
  • Instant messaging
  • Web servers
  • Web applications