Security Testing is successful when the following attributes of an application are intact
- Authentication
- Authorization
- Availability
- Confidentiality
- Integrity
- Non-Repudiation
Goal is to make sure that the sytem/application does not have any loopholes sytem fallbacks
- Authentication
- To confirm that something or someone isauthentic – true to the claims.
- The digital identity of a user is validated andverified.
- Is this person/package/application being truthful about their identity
- Authorization
- To ensure that a person/program is authorized tosee the contents or make changes in anapplication.
- User/Access rights are used.
- Is the package/person allowed to do this operation?
- Availability
- To ensure that an application is up and running; itsservices and information available as and whenneeded.
- Number of failures are reduced and backups arekept ready.
- Will this service do me good any time of the day?
- Confidentiality
- To make sure that the information and servicesare available only when requested by and forintended users.
- Penetration testing is done and defects are fixed.
- Is the service and information sae from unauthorized prying eyes
- Integrity
- To ensure that the service provides the user withcorrect information.
- It is also essential to make sure that no obsoleteor outdated information is presented.
- Does the service provide only the correct information to the user?
- Non-Repudiation
- To ensure that the message was sent and receivedby authentic users only.
- The sender/receiver must not be able to denytheir involvement.
- Did the comminucation happen between two legimate users?
- In general, testing must start early to minimizedefects and cost of quality.
- Security testing must start right from theRequirements Gathering phase to make sure thatthe quality of end-product is high.
- This is to ensure that any intentional/unintentionalunforeseen action does not halt or delay thesystem.
- Requirements Gathering --> Security Requirements Study
- Design --> Develop Security Test Plan
- Development/Unit Testing -> White box Security Testing
- Integration Testing --> Black box Security Testing
- System Testing --> Vulnerability Scanning
- Deployment --> Penetration Testing
- Support/Maintenance -->Post-production analysis
- Vulnerability Scanning
- Scanning a system to findvulnerable signatures andloopholes.
- Penetration Testing
- An attack from a hacker issimulated on the system.
- Ethical Hacking
- The system is attacked fromwithin to expose all thesecurity flaws in the system.
- Risk Assessment
- Observing the security risksin the system, classifyingthem as high, medium andlow.
- Security Scanning
- Network/system weaknessare studies, analyzed andfixed.
- Security Review
- To check that securitystandards have beenimplemented appropriatelythrough gap analysis andcode/design reviews.
https://pentesterlab.com/exercises/
- Dynamic Analysis (DAST)
- Static Analysis (SAST)
- Penetration Testing
- Fuzz Testing
- Interactive Application Security Testing
- Mobile Application Security
- Software Composition Analysis
- Software Testing Optimization
- Threat Intelligence