Security testing techniques are needed to defend the vulnerabilities of a software system or application and to protect it from security threats. Every web site and application has some kind of vulnerabilities which weaken the application’s security and exposes it to the exploitation.
The security should be carried out along all other testing phases so that a uniform security is maintained throughout the application and vulnerabilities and threats are discovered and addressed from time to time. But, unfortunately the security testing is usually conducted at the last phase of the development cycle.
PENETRATION & STATIC ANALYSIS TESTING TOOLS
- Penetration testing tools or web application scanners help a great deal in identifying the vulnerabilities of a web site or application.
- The human brain cannot mentally check out the whole source code and aspects for vulnerabilities and weak points.
- Another class of tools that can be used for this purpose is static code analysis tools.
- Both these penetration tools and static code analysis tools are needed for security testing of web sites and web applications.
- These tools work very effectively in digging out the vulnerabilities.
- On the other hand, static code analysis tools belong to the white box testing tools.
- They are used by the security groups to complement the penetration tools and they focus up on finding the specific root vulnerabilities.
- Penetration testing tools are to be used when the tester is having a limited knowledge of the web application under testing.
- These security tools are employed to check out the following security issues:
(a) SQL injection attacks
(b) Cross site scripting attacks
(c) Directory traversal attacks
(d) Issues related to session management
(e) Validation of the supplied input
The penetration testing tools emphasize upon the following security areas of a web site or web application:
- Network security
- Data base security
- Security sub- system
- Web application security
The penetration testing tools though focus up on both the positive and negative requirements; the more emphasis is on the negative ones. On the other hand normal software testing focuses only up on the positive requirements.
TECHNIQUES USED TO CARRY OUT SECURITY TESTING OF WEB APPLICATIONS
1. Fuzz Test Technique
- This type of testing involves injection of various types of generated data at the interface of the web site or application under testing.
- The data is either randomly generated or systematically.
2. Syntax Test Technique
- This type of testing involves generation of both legal and illegal data.
- This data input values are fed to the application and the behavior of the web application is observed i.e., whether it accepts or rejects the input.
3. Data Analysis
- The data generated by the web application is checked and the context of cryptography is employed here.
4. Exploratory Testing
- This testing is carried out without any test plan.
- There are no specific expectations in this type of security testing and the outcomes are also not expected.
5. Scaffolding
- Testers require some support to carry out their own specially designed testing techniques.
- For that they require supportive tools.
- This is termed as scaffolding.
6. Monitoring the behavior of the program
- Automated tools are used to monitor the outcomes of the different security testing techniques applied and also the behavior of the web application is monitored.
- This technique saves a lot of time.
Security testing of the web sites and applications is crucial to the security of the enterprise since the web sites and applications need to be available to the people all time and the threats and vulnerabilities possess a big danger to the cyber world.
Wednesday, February 8, 2012
What are different security testing techniques?
Posted by Sunflower at 2/08/2012 08:36:00 PM
Labels: Areas, Data Analysis, Exploratory testing, Fuzz, Information, Penetration tools, Scaffolding, Secure, Security, Security Testing, Static analysis tools, Syntax, Techniques, Web Applications, Websites
Subscribe by Email |
|
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment