If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.

Bruce Schneier

What is Security Testing?

Security testing is a type of software testing that evaluates a software's readiness to counter threats to its data and its resources from possible intruders. Its main objective is to expose security flaws in the system which hackers can exploit. Security testing helps in ensuring data safety and software availability and preventing system misuse from malicious hackers.

Areas of Security Testing

In Security testing, there are four clear areas involved.

Network Security
Network security testing inspects the network infrastructure's software and hardware for vulnerabilities — for example:finding open ports to exploit.
System Software Security
System software security examines the operating systems and other system programs for weaknesses — for example: checking if the operating system has the latest security patches applied.
Client-side Application Security
Client-side application security scrutinizes weaknesses on the client-side — for example: verifying whether cookies are encrypted and marked as secure.
Server-side Application Security
Server-side application security looks for holes in server-side code — for example: verifying whether the application is secure against the OWASP Top Ten attacks.

Types of Security Testing

Security Audit
Security auditing, also called security review, is a well-defined process to review the code, its dependent systems, and procedures against industry-accepted standards. This audit will detect gaps like storing passwords in plain-text, allowing SSH access to servers with weak passwords, etc.
Vulnerability Scanning
Vulnerability scanning involves running automated programs that scan your systems for common security holes, like a database server running without the latest security updates or a misconfigured file server that exposes sensitive data. Vulnerability scans produce a list of vulnerabilities, and most offer their remedies. For example, it will tell you that your OS uses version 1.1 of the OpenSSH library and that you should update it to 1.3.
Penetration Testing
Penetration testing, also known as pen testing, is using a combination of tools and techniques to find security fissures in the software. Pen testing includes testing applications for SQL injection, XSS, and other common attack patterns. Pen testing is often done by security experts in collaboration with developers and administrators using tools that emulate hackers' behavior.
Red team testing
Red teaming, also called ethical hacking, tests how well the software, its environment, and the team respond to an attack. Red teaming is like pen testing but is carried out by white-hat hackers. The simulation verifies the software and also the team's battle-readiness in responding to real-world attacks.

How to incorporate security testing into the SDLC?

Delays cost more and security testing is no exception. As seen from the image below, what costs a dollar to fix in the design phase can cost a hundred if detected in a production system.

Let's look at the necessary security testing processes to be implemented in SDLC for each phase.

Phase 1 - Requirements

In this phase, you identify security considerations for the functional requirements. For example, let's say that there is the usual requirement to reset your password. You should qualify this feature by asking some security-related questions like:

  • How long should the link be valid?
  • Whether the software should send the link via email or SMS?

Phase 2 - Design

This phase interprets the requirements into what they should look like in the actual application. If we continue with the above example of password reset, this phase will specify that the USER table has PASSWORD_RESET_EXPIRES and PASSWORD_RESET_CODE columns to store the corresponding values.

Designers should base the security design on industry best practices. For example, storing a random six-digit code will be considered sufficient if the link expires in less than five minutes.

Designers can also specify related behaviors. For example, the design can mandate that if a password reset is attempted from an IP address with an incorrect code more than ten times in a row, that IP address should be blocked.

Phase 3 - Coding

Good design is necessary for secure code. Without it, coders will implement security that is most likely flaky. Continuing with the above example, coders will implement the reset password functionality specified in the design, followed by writing unit tests.

Code reviews are essential as they double-check the implementation details. For example, it should verify that the number is indeed random.

Phase 4 - Testing

In addition to testing functionality, testers should also test the security considerations using a combination of white-box testing and black-box testing.

In the reset password example, they can check that the link works as expected when clicked within five minutes but is invalid after that. They can also check that the link does not work if they edit the URL and change the code. They can also verify that the code is different and seemingly random every time in the reset password link.

Testing should also check for the security of third-party libraries and software.

Phase 5 - Maintenance

Security monitoring and patching are essential even after the application is released. Vulnerabilities that slipped through the cracks are often found long after a software's release. Some may be in the code, but many exist in the underlying operating system or third-party software components that constitute an application.

There should be a well-defined process for monitoring the dependent components like:

  • Operating Systems
  • System software like web servers and load balancers
  • Application software like databases and third-party libraries

There should also be a plan for dealing with security defects, including rewarding those who identified holes in your code.

Why is Security Testing Important?

Your software may have the best features, but if end-users think it is unsafe, they will drop it like a hot potato.

With so many web-based penetration tools available today, anybody can become a hacker. And with social media, making your customer aware of security holes in your software is also easy. Remember, hackers don't necessarily do it for profit; some do it for fun.

If you are judged to have taken security lightly, new laws like GDPR will expose you to legal liabilities and penalties.