Site icon KiwiQA

Web Security Testing: Learning the Basics

Security Testing

Security Testing

One of the gravest concerns for modern companies in current times is security testing. However, security testing often remains one of the least understood and well-defined testing activity for modern testers. Web security testing requires domains of expertise beyond traditional software testing in order to execute complex tasks and is, therefore, a skill in great demand in the industry. This article discusses some key concepts applicable to security testing and is intended to be a primer for beginners and professionals alike.

Defining Computer Security

Computer security is a combination of many protective measures taken to ensure the safety of the data and resources of both the owners and the users of computer systems. Computer security is twofold: It involves keeping private information safe and preventing loss of resources. Computer security concerns include active attacks from external sources, internal abuse, and inadvertent loss of information. Typically, security threats come from one or more of the following places:

Web Testing Goals and Responsibilities

The main focus of our goals as testers should be testing the Web site and Web application security at the application level. It means that we should seek out vulnerabilities and information leaks caused primarily by programming practice and, to a certain extent, by misconfiguration of Web servers and other application-specific servers. We should test for the security side effects or vulnerabilities caused by the functionality implementation. At the same time, we should also test for functional side effects caused by security implementation.

Specifically, the following areas should be considered as testing responsibilities:

Key Aspects of Web Security Testing

Backdoors

Backdoors are created by the developers to facilitate debugging and troubleshooting. Unfortunately, it is not uncommon for backdoors to be left in the production code, thereby introducing security risks. For example, a backdoor that allows the user to go directly to the application without any form of authentication can be a dangerous problem.  Check to make sure that all backdoors are closed in the production release.

Exception Handling

Programs often contain exception-handling code to deal with unexpected events or errors. What is the correct way to handle these exceptions?

Some failures may require immediate notification to the owners of the application. As a tester, you need to understand which response is correct for each condition. Then you can build test cases to make sure the logic is implemented correctly.

ID and Password Testing

When it comes to ID and password testing, follow these guidelines:

Testing for Information Leaks

To test for information leaks, follow these guidelines:

Testing for Buffer Overflows

Testing for buffer overflows requires testing everywhere a buffer is used. Most commonly, buffers are used to store inputs before they are processed by your application. Each of these inputs may have a buffer to hold data, and not all buffers are immediately obvious. For example, data returned from a database inquiry may be buffered. The goal of testing for a buffer overflow is to show that sending too much data to the program will cause the program to behave in an unexpected manner.

Conclusion

Keeping up with new technologies and vulnerabilities they introduce is a challenge for every tester. However, following the above guidelines and keeping up with the available tools and their applicability and usefulness in supporting the software security testing effort would help testers in preparing against security breaches.

Exit mobile version