Software Security Testing Model - ocawley/ittsqa04 GitHub Wiki

Definition of Software Security Testing

Security testing is basically a type of software testing that’s done to check whether the application or the product is secured or not. [1] Software security testing is used to make sure that a piece of software is protected against possible security threats and issues, to ensure that an application or product functions properly even under malicious attack. [1]

Aims of Software Security Testing

  • Ensure that the data is protected from disclosure by parties other than intended recipient.
  • Ensure the impossibility of unauthorised access to data.
  • Ensure that information and communication services will be ready to use when expected.

The six basic security concepts that need to be covered by security testing are:

  • Confidentiality - a measure which purpose is to protect data from being disclosed to anyone other than the intended recipient.
  • Integrity - allows receiver to determine that the information is correct.
  • Authentication - identity and data verification.
  • Availability - ensure that the information will be available to authorized persons when required.
  • Authorization - ensure that the user is allowed to perform an operation or to request data.
  • Non-repudiation - allows to have an evidence of who exactly sent the message and who received it.[2]

Security Testing Procedure (Model)

  1. Discover systems and services which may be affected by security issues
  2. Search for any security vulnerabilities in systems and services discovered in previous step. This is usually done by automated tools, which also will set the risk level automatically.
  3. Assess discovered vulnerabilities by checking logs, error messages, system responses, codes, etc.
  4. Run a penetration test, which is basically a simulation of a malicious attack. The purpose of this test is to gain deep unauthorized access to the system by exploited known vulnerabilities.
  5. Produce a report based on the results of previous steps, the most important of which is a penetration test.

References

  1. http://istqbexamcertification.com/what-is-security-testing-in-software
  2. http://en.wikipedia.org/wiki/Security_testing