Security Testing overview | David Tzemach
Updated: Jan 26, 2022
Security is a set of measures that protect an application against unforeseen actions that may cause it to stop functioning or be exploited. Every organization must ensure the confidentiality and integrity of its products.
What is security testing?
Security testing ensures that the system under test is free from any security holes, threats, and weaknesses that may jeopardize customer data, leading to a loss of information to employees or attackers from outside of the organization.
Here are some other consequences of explaining why there is no second option in this area of testing:
Loss of reputation that leads to a reduction in revenue.
Loss of customer trust in the product and organization.
Legal implications and fees due to lawsuits.
Time lost in recovering from a system failure.
Types of security testing
There are four types of security testing:
Risk Assessment – This involves analyzing security risks observed in the organization. As part of this process, issues are identified, prioritized, and removed to reduce the potential risk.
Penetration testing is used to simulate an attack from outside the organization. It involves analyzing a particular system to reveal potential vulnerabilities to an external hacking attempt.
Security auditing – This is an internal inspection of the product to reveal security flaws. Security auditing can be done by an expert who inspects specific parts of the code.
Vulnerability Scanning is done through automated tools that help the team evaluate the product against known vulnerability signatures.
Common types of threats
Here are some examples of the different types of threats we want to find in security testing activities.
Password cracking – To access the private areas of an application, attackers can use password cracking tools or try guessing common usernames and passwords of legitimate users.
SQL injection – This type of attack is probably the most common application layer attack. The hacker uses malicious SQL statements against different entry fields for execution. Using this relatively simple technique, an attacker can access and manipulate critical data from the server database.
Data manipulation occurs when attackers access and modify data used by a website to embarrass the website owners, like changing the HTML pages to be offensive.
Denial of service (DoS) is an explicit attempt by a hacker to make a system, network, or service unavailable to legitimate users.
Privilege elevation – Privilege elevation is when a hacker who has an account on the system increases their system privileges to a higher level than they currently have to compromise the entire system.
Identity spoofing – Identity spoofing is a technique where an attacker uses the credentials of a legitimate user to launch attacks against network hosts or bypass access controls.