Until a few years ago, security testing was seen as something separate from QA; something that an InfoSec team would take care of. But massive data breaches have demonstrated that security is everyone’s responsibility, from CEOs to product owners, from DBAs to developers, and yes, to software testers. Testers already verify that software is working as it should so that users will have a good user experience; it is now time for them to help verify that software is secure, so that users’ data will be protected.
The great news is that much of what you already do as a software tester helps with security testing! In this post, I will outline the ways that testers can use the skills they already have to start testing with security in mind, and I will discuss the new skills that testers can learn to help secure their applications.
Things you are probably already testing:
- Field Validation: It’s important to make sure that fields only accept the data types they are expecting, and that the number and type of characters is enforced. This helps ensure that SQL injection and cross-site scripting can’t be entered through a data field.
- Authentication: Everyone knows that it’s important to test the login page of an application. You are probably already testing to make sure that when login fails, the UI doesn’t provide any hints as to whether the username or password failed, and testing to make sure that the password isn’t saved after logout or displayed in clear text. This serves to make it more difficult for a malicious user to figure out how to log in.
- Authorization: You are already paying attention to which user roles have access to which pages. By verifying that only authorized users can view specific pages, you are helping to insure that data does not fall into the wrong hands.
- Intercepting and Manipulating Requests: It is easy to intercept web requests with free tools that are available to everyone online. If attackers are doing this (and they are), then it is important for you to insure that they can’t get access to information that they shouldn’t have.
- Cross-site Scripting (XSS): This involves entering scripted code that will be executed when someone navigates to a page or retrieves data. Any text field on a page, even any URL, represents a potential attack point for a malicious user to insert a script.
- SQL Injection: This is exploiting potential security holes in communication with the database in order to retrieve more information than the application intended. As with cross-site scripting, any text field or URL has the potential to be used to extract data.
- Session Hijacking: It’s important to learn if usernames, passwords, tokens, or other sensitive information is displayed in clear text or poorly encrypted. Malicious users can take this information and use it to log in as someone else.
Awesome read , thank you so much for writing this up. I am not involved in any security testing so far, but now I understand it is my responsibility too and make this part of our release testing process of our web app. Good one for any one who wanted to start with Security testing . Kudos Kristin ..
Thanks so much, Musaffir!
Pretty article! I found some useful information in your blog, it was awesome to read, thanks for sharing this great content to my vision, keep sharing. Need to learn
Security Testing Services
Test Automation Services
Software Testing Services
Compatibility Testing Services
Regression Testing Services
With the increased cyber attacks, companies have started focusing on performing security testing of their software application and products. Penetration testing is one of the most common and widely used techniques to identify vulnerable areas of the system.
Security testing service | Penetration testing service