What all points to be considered in Security Testing?

Security testing is very important part of Functional Testing where testers make sure that the application product is secured enough to keep away the access of application from hackers or illicit users. Below we are going to discuss various security testing points that need to be taken care of the testing security of any software application.

As we know, today almost all services like registration, banking, shopping, selling, bidding, etc. are available online and there are huge flows of secured data and money details between consumers and service providers. With the advent of online purchase using credit cards, money transfer, etc. the risk of online theft of identifying and stealing confidential data by hackers after accessing these details from the internet has increased. Therefore it is one of the biggest challenges to develop and test a secured web-based application in order to keep away all illicit access to confidential information of user.

Read more on => Seven attributes of Security Testing.

Security Testing Checklist

Following points should be taken care of, while testing the security of any web based application.

1) Intranet or Secured Network: Critical web-based applications which are used only by organizations or firms,use secured network or intranet. Security testing here should always make sure that the user should able to log in only when he or she is in this private network and should unable to access this web-based application when he or she is outside this secured network by any means.

2) Routine access checkpoint: Make a check on the active users which are accessing the system and should restrict the access to the ones who are still in the project and immediately delete or suspend the access for the team member who is no longer with the organization.

3) Set up Privilege levels: In any web based application, everyone cannot be admin or can have full access to every application module. Security testing should make sure that within an application the user with given level of privileges like read-only, edit, delete, etc. can perform only those operations in a project application.

4) IP address masking: In order to protect user’s web-based application in a country from other country users where hackers usually hack websites. This is achievable by IP masking, making sure if your web-based application is attempted to be logged in from hacker’s country it wouldn’t open there at all.

5) Cookies: Cookies are used to store information about the users locally into a browser cache for sites which use them. The server sends the details to authenticate the user when using the browser on the same machine. Since information about the user is present locally on the machine, therefore, the user profile security is prone to be hacked. From security testing point of view, it should always be made sure that the user information stored in the browser is encrypted and the server has the correct key for it to decrypt. Also, the site should avoid saving password and other security credentials into cookies. Cookies are the best to use for shopping websites where shopping items can be stored into these in the shopping cart. Also, cookies should be programmed like that they should expire after the information stored in them are not in use from long time.

6) Encryption and Decryption: The security system to log into website should store user id and password after encryption into database and hence become unreadable from database. While login into website system, it should be able to decrypt for these details during authentication. Password and security answers to questions should never be visible to front-end user as well as back-end user at the database level. This is the best authentication security.

7) Use of Loggers: Logger are the server generated files which reveals the health and the function of the web-based application. Loggers have different levels of info, debug, error, fatal, etc. Based on these levels required verbosity of the logs can be managed. Info level has the highest verbosity whereas fatal level has the lowest verbosity. Testers should make sure that the loggers from the server are not throwing any secured information like password, securities answers, etc. in any of that can be used by the hacker or malicious user. Loggers should always be less verbose which are usually  set at error level so that they can be used to diagnose only technical issue after the web-based application is live into production.

8) Hackers Attack: Usually hackers load the data in high volume in batch on web-based application in order to break the system. The web-based application should be robust enough to withstand this bulk login data and if by chance any user id is attempted to log in more than three times with the wrong password, then it should be blocked immediately and notified by email or SMS to the user and website security incident team.

Check more details on => Security Testing approach for Web Applications

Over to you: Web based application testing is really a challenging job where tester itself has to act like a hacker in order to break the security of the system. Doing so, the project team will be most focused on building more advanced security features and hence the robust web-based application.


⇓ Subscribe Us ⇓


If you are not regular reader of this website then highly recommends you to Sign up for our free email newsletter!! Sign up just providing your email address below:


 

Check email in your inbox for confirmation to get latest updates Software Testing for free.


  Happy Testing!!!
 

2 thoughts on “What all points to be considered in Security Testing?”

  1. Hi,
    Nice website. I am fresher in testing field, coukd you please let me know from where I can start and which all to be focused on.

    Thanks in advance, your help will really appreciated.

    -Ryan

    Reply

Leave a Comment

Share This Post