Software testers are sometimes unable to cope with the verification of security requirements because of their very technical nature. In this post, I will give you some guidance and orientation which you can use right away for your application security testing activities.
Step 1 – Static Application Security Tests
First of all, make sure that static application security testing or secure code review according to security standards such as OWASP top 10, SANS top 25 or PCI will be conducted. Bear in mind that vulnerabilities have to be eliminated from the root, which is the source code. You can do a manual code review or even better an automatic analysis using professional or freeware tools. Also, please verify the security risks related to open source libraries used by your application under test.
Step 2 – Dynamic Application Security Tests
Secondly, there are also security risks related to the surrounding application infrastructure. The application server, operating system, and additional runtime libraries can lead to serious hazards. Such so-called dynamic application security tests are always tool based, and baseline scans your runtime environment against known security issues. Typically, such application scans or penetration tests should be executed during system or user acceptance testing.
Step 3 – Business Security Tests
Lastly, your testing activities should also include so-called business security tests, which focus on sensitive areas such as authentication, authorization, and session management. Also, I recommend paying attention to login procedures and permission management of applications under test. Conduct positive and negative tests for those critical areas mentioned above.
All things considered, a robust security testing approach incorporates early secure code reviews, dynamic and business security tests. Keep on doing the good work, and please share your own security testing experience and strategy with me.