What is security testing? The simplest definition is that securtiy means that authorized access is granted to protected data and unauthorized access is restricted. Here are some examples of security flaws in an application:
1. A Student Management System is insecure if ‘Admission’ branch can edit the data of ‘Exam’ branch
2. An ERP system is not secure if data entry opeartor (DEO) can generate ‘Reports’
3. An online Shopping Mall has no security if customer’s Credit Card Detail is not encrypted
4. A custom software possess inadequate security if an SQL query retrieves actual passwords of its users
Also, let’s learn some security testing techniques:
1. Access to Application:
Tester should create several user accounts with different as well multiple roles. Then he should use the application with the help of these accounts and should verify that every role has access to its own modules, screens, forms and menus only. And he should log a security issue with complete confidence if finding any confict.
2. Data Protection:
The tester should query the database for ‘passwords’ of user account, billing information of clients, other business critical and sensibive data and should verify that all such data is saved in encrypted form in the DB. Moreover, tester should ensure that the encrypted data is properly decrypted at the destination. If any of these verifications fail, the application definitely has security flaw.
3. Brute-Force Attack:
The tester must verify that some mechanism of account suspension is available and is working accurately. Moreover, he must attempt to login with invalid user IDs and Passwords alternatively to make sure that software application blocks the accounts that continuously attempt login with invalid information.
4. SQL Injection and XSS (cross site scripting):
Tester must ensure that maximum lengths of all input fields are defined and implemented. Then he should also ensure that defined length of input fields does not accommodate any script input as well as tag input.
5. Service Access Points (Sealed and Secure Open):
An investor should have access to current and historical data of stock prices. User should be given the facility to download this historical data. This demands that application should be open enough. Moreover, a large number of users will be interacting with application simultaneously, so the application should provide enough number access point to entertain all the users.