This is a guest posting by Michael Solomon PhD CISSP PMP CISM.
Companies large and small need comprehensive software security testing, but there is a lot of confusion about what that actually means. How do organizations go about conducting software security tests? What types of test should you run? And how do you know if you’ve done enough?
The Open Source Security Testing Methodology Manual is a great resource that explains what security testing is all about. The OSSTMM covers far more scope than just testing software, and it should be in any security tester’s library.
There are many types of security tests. Knowing when to conduct each type of security test (and when not to) can make your application more secure and reduce the resources spent to get there. In this article we’ll look at five main types of security test and recommend when to use them most effectively.
Get TestRail FREE for 30 days!
Types of Software Security Tests
Because we’re focusing on software security testing, let’s align test recommendations with the phases of the software development lifecycle (SDLC):
- Planning: The project management activities that help organize software development tasks
Requirements and analysis: The process of collecting business requirements and translating them into technical requirements
- Design and prototyping: This phase consists of defining the way technical requirements will be implemented, producing software specifications
- Coding and development: Application developers write code to implement the specifications created in the previous phase
- Testing: Once the development phase produces software that can be executed, this phase consists of running specified tests to ensure the software satisfies the specifications
- Deployment: Once software passes the testing phase, the software is placed on production platforms and made available to users
- Maintenance: This final phase includes monitoring and updating configuration settings to optimize the software’s usability and responding to any identified weaknesses in the software
Integrating security into software has to start at the very beginning of the SDLC process.
In the past, software development organizations attempted to defer security implementation until the deployment phase. The thought was that forcing security into the process too early would waste time and resources. But they were wrong. Designing security into software from the very beginning is far more efficient than trying to add it later.
Corresponding with the phases of the SDLC, here are five types of security tests every initiative should include:
- Risk assessment: A structured analysis of known vulnerabilities, risks, threats, and probabilities of threats being realized. All of the information collected allows assessors to rank threats and determine which require the most attention
- Security auditing: The process of comparing observed artifacts with policies or requirements. In the context of software development, this often includes reviewing source code for compliance with development standards
- Vulnerability scanning: A series of tests to determine if any known vulnerabilities are present in the tested environment. Many vulnerability scans are automated and can identify the presence of a wide variety of vulnerabilities in software or the environment in which software operates
- Security scanning: While this appears to be similar to vulnerability scanning, security scanning expands the scope of tests to include all aspects of a computing environment that supports application software, including network and physical computing components
- Penetration testing: Activities in which security professionals attempt to “break into” software to identify existing vulnerabilities. This type of testing is also called “ethical hacking”
Each type of security test exercises a different aspect of your software environment. These tests sometimes overlap one another, but they work well together to identify security gaps at multiple levels — none of them can provide complete protection by itself.
Choosing the Right Software Security Test
While there is no wrong time to run software security tests, you will get the best results by conducting security tests that map to your current phase in the SDLC. As many software development organizations use agile or another rapid development methodology, development phases may not be very clear.
Here is how the five types of tests outlined above map to SDLC phases:
|Software Security Test||SDLC Phase(s)||Comments|
|Risk assessment||Planning, Requirements, Design||Conduct a risk assessment as early as possible. You must have an idea of the risks you are facing in order to do a good job of producing software that is resistant to the most important risks.|
|Security auditing||Coding, Unit Testing||As you write components of an application, one of the best ways to ensure security is to adhere to secure coding standards. Code audits can help reveal gaps and violations of coding standards.|
|Vulnerability scanning||Integration Testing, System Testing||Once you have a working application, you can see how well it resists known vulnerabilities — before your users start using it.|
|Security scanning||Deployment||After deploying software, it is important to step back and assess the overall security of the entire environment.|
|Penetration testing||Maintenance||Regardless of how aggressively you pursue secure software, some vulnerabilities don’t materialize until software is in a live environment. A skilled penetration tester can often find ways to compromise software that are difficult to foresee prior to deployment.|
Knowing your environment and development methods may result in conducting tests in a different order. For example, you may need to run a vulnerability assessment initially to provide input to your risk assessment. That’s fine. Your testing regimen should fit your organization.
The point is to make your software more secure, not to just say that you ran security tests. Every test should provide results that you can use. If it doesn’t, your time would be better invested doing something else.
Plan for Security
The main takeaway is that security testing for software is far more than just checking authentication in unit testing. While testing security during unit testing is important, it is only one small part of testing security in a software development project.
Plan ahead and build security testing into every software development project early in the process. You’ll end up saving time and money, and you will produce software with fewer security vulnerabilities.
Article written by Michael Solomon PhD CISSP PMP CISM, Professor of Information Systems Security and Information Technology at University of the Cumberlands.
Test Automation – Anywhere, Anytime