BreadcrumbHomeResourcesBlog Best Practices For Security Testing For Software September 2, 2021 Best Practices For Security Testing For SoftwareTest AutomationBy Pratima MishraSecurity testing is a key component of software quality. A program may meet functionality and performance requirements, but that does not guarantee security. In this blog post I will present different security testing methods and provide a few tips for conducting a more secure code review. But first, let’s understand what software security is intended for and what best practices for security testing for software are.Table of ContentsThe Goal of Software SecurityThe Impact of Inadequate Software SecurityHow to Achieve Software Security in the Software Development LifecycleSecurity Testing Approaches & TechniquesSecurity Code Review Best Practices:ConclusionTable of Contents1 - The Goal of Software Security2 - The Impact of Inadequate Software Security3 - How to Achieve Software Security in the Software Development Lifecycle4 - Security Testing Approaches & Techniques5 - Security Code Review Best Practices:6 - ConclusionBack to topThe Goal of Software SecuritySoftware security is intended to help the CIA. No, not the CIA you’re thinking of, but rather:CIA - Confidentiality, Integrity and Availability. According to NIST, this means -Confidentiality - preserving authorized restrictions on access and disclosure, including a means for protecting personal privacy and proprietary information;Integrity - guarding against improper information modification or destruction, and includes ensuring information nonrepudiation, accuracy, and authenticity.Availability - ensuring timely and reliable access to, and use of, information.📕 Related Resource: Learn more about Enterprise Application Security!Back to topThe Impact of Inadequate Software SecuritySome of the consequences of lack of security include:Damaging the organization’s brand nameLoss of customer trustNegative impact on salesExpensive vulnerability remediation costProduction impactExpenditures to recover from a website crash (reinstashing services, restoring backups, etc.) and downtime.Fees and legal repercussions Back to topHow to Achieve Software Security in the Software Development LifecycleA very effective way to achieve secure software is for its development life cycle processes to implement secure development , deployment, and maintenance principles and practices. In the testing process, this means making sure that systems are protected and can function as needed. 📕 Related Resource: Learn more about Running SOAP WS-Security Load Tests in JMeterBack to topSecurity Testing Approaches & TechniquesLet’s look at three security testing types that cover the software development lifecycle from end to end.1. Threat ModelingA threat is a potential source that can exploit system vulnerability. Threat modeling is a constant iterative process of identifying and prioritizing these probable threats and documenting the actions that need to be taken in each case. As a result, Threat Modeling helps identify and investigate potential threats and vulnerabilities which assists in finding architecture risks earlier in the development lifecycle. Threat modeling allows the testing team to be involved in the whole application development process so as to identify critical bugs and make security decisions better.The Threat Modelling ProcessLet’s see how the Threat Modelling process works:Planning: Defining your application, data flow and assets involved. Identification: Classifying or identifying which type of threats the application is exposed to, like data manipulation or SQL injection.Mitigation: Identifying tools and technologies to prevent software from the above identified risks.Remediation: Validating software against the tool and capturing risks. It's a continuous process to identify risk. Tool needs to be run in every iteration of a certified development build.Some examples of threat modeling tools include:OWASP Threat DragonMicrosoft Threat Modeling ToolCairis2. Penetration TestingA penetration test, also known as a pen test, is a simulated cyber-attack against your software system to check for exploitable vulnerabilities. Penetration Testing targets the security weaknesses that enable attackers to gain access to the data. As a result, penetration testing helps in assessing the overall security posture and identifying common vulnerabilities and exposures before the attackers do. The Pen Test ProcessLet’s see how the penetration testing process works:Define the scope: Determining the testing methods and the level of exploitation required when trying to find vulnerabilities. Exploration /Access Vulnerabilities: - Discover all possible vulnerabilities/intrusions.Penetration testing: Test all possible exploitations in order to discover new vulnerabilities. In this stage, the web application is attacked to uncover vulnerabilities and check if a bad actor is able to access the application and gain in depth access.Risk analysis and mitigation: All the vulnerabilities found during the test should be listed and recommendations should be provided for filling security gaps. Information on which sensitive data was accessed and the duration of attack should also be provided to patch solutions to prevent these attacks in later phases.Pen test report: A detailed report of the list of issues along with severities should be shared with the team so that severity 1 issues can be prioritized and fixed.Types of Penetration Testing:Network Service Tests: Evaluating the network system and the services provided for probable security issues. Issues could be on servers, routers, switches, DNS, IP’s etc.Web Application Tests: Testing all functionalities and interfaces with all sets of data in web applications.Client Side Tests: Various actions performed in client-side application programs like email clients, web browsers etc. to exploit vulnerabilities.Wireless Network Tests: Exploration, identification of wireless networks, vulnerability examination, exploitation, test report, and remediation. Social Engineering Tests: Emphasizes people and processes and the vulnerabilities associated with them. This type of test consists of an ethical hacker directing attacks such as phishing, or impersonating a person during the course of their work.Some examples of Penetration Testing tools include:NmapNessusWireshark3. Code ReviewsCode reviews can improve software security by removing common vulnerabilities such as memory leaks, format string exploits and buffer overflows. As a result, code reviews help developers find and fix software vulnerabilities in the development cycle itself. This makes the mitigation process less expensive than correcting code after deployment to production.Application security code review focuses on high risk parts of code. Vital actions in this process include leveraging threat/vulnerability assessment to identify which part of the code should be manually reviewed and where Static Application Security Testing (SAST) tools need to analyze source code to identify probable security flaws in the application.Code reviews can be either automated or manual, and should address issues like security risks from open source tools, business logic and QA test layering.Back to topSecurity Code Review Best Practices:Sensitive data that is used in the codebase should always be encrypted.Ensure unit tests have a combination of input data validation so that attacks like Injection, and Cross-Site Scripting can be prevented.Ensure there are no memory flaws in the code and safe memory practices are followed. This helps avoid SQL injection and OS command injection.Avoid any indirect object reference with files or path traversal method.Collaborate and share your knowledge with the team about bugs and security issues identified in earlier stages so they can be addressed and avoided.Some examples of Code Review tools include:GitHubVeracodeReview BoardBack to topConclusionBy incorporating security testing practices into your software development lifecycle, you can help minimize the attack surface. For more information, reach out to your CISO, or IT and security team.START TESTING NOWRelated Resources: 5 CI/CD Best Practices for Better Code QualityLoad Testing Best PracticesSecurity Testing With JMeter - Learn HowBack to top
Pratima Mishra Senior Software Engineer, CA Technologies Pratima Mishra is a software test professional with 10+ years of rich and comprehensive experience in Test Automation in Selenium Web driver with BDD Framework on Cucumber using Java, Software Testing, Quality Assurance and Agile Methodologies. Pratima is passionate about designing and implementing automation solutions for Software Testing and Business Processes.