subject: Security Testing : An Overview [print this page] The term Security Testing refers to data protection from threats, leakage and making sure that the functionality of the application is intact. Sometimes, testing software security is misunderstood, as some people may think that it only refers to security of displayed data, but this is not the case. In the modern world, internet has become an integral part of our everyday activity, such as social networking, shopping, banking, etc. All these services need security to avoid being misused. Everything that we share on the internet is secure information which is limited to a number of users who have access to it; if this fails, confidential information may get disclosed.
Security testing services are of prime importance for running a successful business as each and every record of the company and its employees is to be kept confidential. Most websites contain private details, such as credit card numbers, passwords, contact numbers, e-mail ids, etc., which should not be revealed to unauthenticated users. Security testing, when properly done, is deeper than black-box testing on the presentation layer as testing is done via application security tools; it's even beyond the functional testing of security applications.
The six security concepts that a security tester should always keep in mind are: authentication, authorization, availability, confidentiality, integrity, and non-repudiation.
Authentication- Authentication is the system check whereby systems securely trace their users. Authentication may provide answers to following questions:
Is the user genuine?
Is the user exactly what he/she represents himself/herself to be?
Authorization- Authorization is the process in which the system checks for permissions granted to the user. For example, a facebook user is allowed to see only public details of other users. Authorizing systems provide answers to the following questions:
Is the user authorized to view resources?
Is the user authorized to modify details?
Is the user authorized to modify other's details?
Availability- Availiablity is generally proportional to reliability. The more reliable the system is, more available is the system to the users.
Confidentiality- Confidentiality is keeping the private information hidden from unauthorised users; it is visible to only those who are allowed to see it.
Integrity- Integrity is a check to authorize the receiver to determine that information provided by the sender is correct.
Non-repudiation- Non-repudiation refers to the check that the data sent by the receiver has reached its desired destination, only to the one whom it was intended for. Some hackers may steal confidential data when packets are sent to a destination; therefore, to verify that data is sent to correct destination, an acknowledgement is sent by receiver to sender.
There is no straight process to maintain security. Nowadays, new technologies are being adopted by hackers; to be one step ahead of hackers, an organization needs to maintain the above described six security concepts and follow them religiously. Given the importance of security testing and the potential techniques that one can leverage, security testing services offer scope for a specialized career in testing. If a tester has the interest and skill in this area, he/she should discuss the same with his/her manager to explore the possibility of branching off to this area from the generic functional testing line.
