Netsparker Web Application Security Scanner

What all points to be considered in Security Testing?

Security testing is very important part of Functional Testing where testers make sure that the application product is secured enough to keep away the access of application from hackers or illicit users. Below we are going to discuss about various security testing points that need to be taken care for testing security of any software application.

As we know, today almost all services like registration, banking, shopping, selling, bidding, etc. are available online and there are huge flows of secured data and money details between consumers and service providers. With the advent of online purchase using credit cards, money transfer, etc. the risk of online theft of identifying and stealing confidential data by hackers after accessing these details from internet has increased. Therefore it is one of the biggest challenge to develop and test a secured web based application in order to keep away all illicit access to confidential information of user.

Read more on => Seven attributes of Security Testing.

Security Testing Checklist

Following points should be taken care of, while testing the security of any web based application.

1) Intranet or Secured Network: Critical web based applications which are used only by organizations or firms,use secured network or intranet. Security testing here should always make sure that the user should able to login only when he or she is in this private network and should unable to access this web based application when he or she is outside this secured network by any means.

2) Routine access checkpoint: Make a check on the active users which are accessing the system and should restrict the access to the ones who are still in the project and immediately delete or suspend the access for the team member who is no longer with the organization.

3) Set up Privilege levels: In any web based application, everyone cannot be admin or can have full access to every application module. Security testing should make sure that within an application the user with given level of privileges like read-only, edit, delete, etc. can perform only those operations in a project application.

4) IP address masking: In order to protect user’s web based application in a country from other country users where hackers usually hack websites. This is achievable by IP masking, making sure if your web based application is attempted to be logged in from hacker’s country it wouldn’t open there at all.

5) Cookies: Cookies are used to store information about the users locally into a browser cache for sites which use them. Server sends the details to authenticate the user when using the browser on the same machine. Since information about the user are present locally on machine therefore the user profile security is prone to be hacked. From security testing point of view, it should always be made sure that the user information stored in the browser are encrypted and the server has the correct key for it to decrypt. Also, the site should avoid saving password and other security credentials into cookies. Cookies are the best to use for shopping websites where shopping items can be stored into these in shopping cart. Also cookies should be programmed like that they should expire after the information stored in them are not in use from long time.

6) Encryption and Decryption: The security system to log into website should store user id and password after encryption into database and hence become unreadable from database. While login into web site system, it should be able to decrypt for these details during authentication. Password and security answers to questions should never be visible to front end user as well as back end user at database level. This is the best authentication security.

7) Use of Loggers: Logger are the server generated files which reveals the health and the function of the web based application. Loggers has different levels like info, debug, error, fatal, etc. Based on these levels required verbosity of the logs can be managed. Info level has highest verbosity whereas fatal level has lowest verbosity. Testers should make sure that the loggers from server are not throwing any secured information like password, securities answers, etc. in any from that can be used by hacker or malicious user. Loggers should always be less verbose which are usually  set at error level so that they can be used to diagnose only technical issue after web based application is live into production.

8) Hackers Attack: Usually hackers load the data in high volume in batch on web based application in order to break the system. Web based application should be robust enough to withstand this bulk login data and if by chance any user id is attempted to login more than three times with wrong password, then it should be blocked immediately and notified by email or SMS to the user and web site security incident team.

Check more details on => Security Testing approach for Web Applications


Over to you: Web based application testing is really a challenging job where tester itself has to act like a hacker in order to break the security of the system. Doing so, project team will be most focused on building more advanced security features and hence the robust web based application.

If you are not regular reader of this website then highly recommends you to Sign up for our free email newsletter!! Sign up just providing your email address below:

Enter your email address:

Check email in your inbox for confirmation to get latest updates Software Testing for free.

Happy Testing!!!

2 comments to What all points to be considered in Security Testing?

  • Ryan

    Nice website. I am fresher in testing field, coukd you please let me know from where I can start and which all to be focused on.

    Thanks in advance, your help will really appreciated.


  • sashidhar

    Are there any automation tool to test this security.Which Automation tool is suitable for to test the website projects.

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>