Testing an application – whether it is designed for desktop, mobile or the Internet of Things – for security defects is more important now than ever before. This is because the stakes for a data breach have become enormous, in light of the average incident now costing the affected enterprise over $4 million to recover from.
What to look for during security testing
When it comes to security testing, what paces should quality assurance teams put their applications through? There are plenty of things to check for, including:
- Authentication: How do users prove that they are legitimate when attempting to sign in to the application? Are any factors other than username and password required? Do you enforce password requirements or use a captcha?
- Encryption: Which assets are protected with encryption, either at rest or in transit (or both)? Are the cryptographic libraries recent and up-to-date? What versions, algorithms and key lengths are you using with SSL?
- Session management: Do you use cookies or tokens for session management? What is the scope, duration and maximum lifespan of these cookies/tokens? Is the application vulnerable to clickjacking and cross-site request forgery?
- Injections and cross-scripting: SQL injection and various types of cross-scripting are among the most common attack vectors against web apps, which makes them crucial to test – is your app hardened against them?
- Distributed denial-of-service attacks: Is your application vulnerable to DDoS via SQL wildcard or HTTP protocol? Does it include account lockout features to prevent brute-force password guessing?
- Miscellaneous application-specific features: Does your app handle payments? If so, can it handle buffer overflows? Does it comply with the Payment Card Industry Data Security Standard? Are your file uploads secure, with automatic antivirus scanning?
As we can see, security testing is a very involved process, with many moving parts pertaining to user experience/interface, specific protocols and tools and even compliance frameworks. Enterprises around the globe continue to invest many resources into this area. Markets and Markets has estimated that security testing could be a $4.96 billion market by 2019, which would represent a 14.9 percent compound annual growth rate for the period from 2014 to 2019.
Overall, security testing is not all that different from functional testing. Test cases are defined and then the application is vetted to see if it behaves as expected. The key difference is that you’re looking for a “negative” result with security testing, i.e., that your app won’t succumb to X or Y exploit.
“The main difference when security testing is one of mindset,” explained then-Atlassian QA Lead Mark Hrynczak in 2012. “When functional testing, you are trying to prove that a feature works for an end-user – it does what they expect, and does not hinder them from completing their tasks. You would probably prioritize accordingly – focus on features that are used more often, used by more users, are considered the most important, etc. As a security tester, your ‘end-user’ is now an attacker trying to break your application. The goal of your testing is to prove that a specific attack scenario does not succeed, for any attack scenario.”
Such scenarios could include:
- Lack of encryption (or weak encryption) when handling payment card data on an e-commerce portal.
- Ability to retrieve passwords from basic SQL queries.
- Poorly secured permissions in a content management system, which could allow a student to edit the contents of an online exam, for example,
- Similarly, a flaw within an enterprise resource planning system that might permit unauthorized users to generate reports with sensitive data.
Why web apps are different
Security testing for web apps is particularly complex compared even to desktop or mobile apps. This is because putting an app on the web often requires the use of standards such as OpenSSL and CSS that may be less than ideal from a technical standpoint. At the same time, web apps have a frontend (interface) and backend (database) that have to be securely connected across an IP network. There is often ample opportunity for a cyber attack here, most notably SQL injection.
So what’s the solution for effectively testing the security mechanisms of your web app? Start by understanding the design of your application as well as the basic meanings of security terms and concepts. The free online resource OWASP is especially useful here for spelling out all of the must-knows in web app security testing, from session management tips to cross-scripting attacks.
From that point, specific tools such as automated vulnerability scanners and Google Gruyere can help you identify possible flaws in your application even in the early going. You won’t want to stop there, though. An enterprise test management solution can help you track defect trends, test functionalities and collaborate with all project stakeholders throughout the devtest process.
Security testing can be improved with a sensible agile workflow that the entire organization can follow as part of a DevOps culture. This way, an app can be promptly updated as standards change, new attacks come out into the open and flaws are discovered. Success with security testing requires a fine-tuned combination of high-level processes and technical solutions, which can be achieved by pairing agile/DevOps with testing tools. This setup gives you the speed and thoroughness you need to discover defects early and often and fix them so that your web app is as safe as possible for everyone.
Security testing is essential to ensuring your apps are protected.
