It is a type of software testing that checks whether the application or product is secured or not.
Or
Security testing is performed to check whether there is any information leakage.
Or
The goal of security testing is to identify the threats in the system and measure security risk.
Or
Check the loopholes, weakness, and vulnerabilities of the web application.
Or
Ensure that application is free from any loopholes or weakness.
Type of Security Testing
Vulnerability scanning: - This is done by the automated software to scan a system.
Security scanning: - Identify the network and system weakness and also provide the solution for reducing the risk.
Penetration Testing: - It is also known as pen test. Hacker malicious attack on the loophole or weakness of the system.
Risk Assessment: - Check the potential risk is either high or low. Analyze and evaluate the risk with the particular threats.
Security Auditing:-In this inspection of code line by line. It is a manual measurable technique of a system or application.
Ethical hacking:-It is systematical attempts to penetrate malicious script to exploit computer system or network on the behalf of the owner.
Procedure of web application security testing:-
1. Scope of the application
2. Check static and dynamic pages
3. Identify the all login role of application
4. Gather the information about the application
5. Make profiling of the threats or security related test data.
6. Security-related tools
7. Test according to the threats profiling
8. Scan application according to the threats profiling
9. Report creation
Report submission
Approaches of web application security testing
· Passive Approach- Actions taken to monitor the security
· Understand the logic of the application
· Information Gathering
· Understand all the login role of the application
· Active Approach-Covers all actions designed to prevent a breech
· Configuration Management Testing.
· Testing for file extensions which is a need or not need
· Test file name without script tag
· Test old, backup, temporary file not be left
· Testing for HTTP methods
· Testing for the business logic of the application
· Testing for XSS(cross-site scripting)
· Testing for SQL injection
· Authentication Testing
· Credentials transport over an encrypted channel
· Testing false login credential to account lockout
· Brute Force Testing
· Testing for bypassing authorization schema
· Session Management Testing
· Test all headers for mitigating the XSS and CSRF
· Testing for Cookies attributes- http only, secure and time validity
· Testing for CSRF(cross-site request forgery)
Comentários