Welcome to the second part in our series about non-functional testing! This series kicked off as a result of the big problems surrounding Taylor Swift’s Eras tour ticket sales. Our contention is that it’s not a simple matter of Performance & Load Testing, but also the confluence of Performance, Security, and Chaos Testing that needs to be part of your strategic test plan.
The last article covered the importance of Performance Testing to stabilize your platform and give you “maximum 9s”. This time, we’re going to talk about the next topic: Security Testing!
In 2022 there were 1,802 total compromises of data, which affected 422 million people in total. The biggest compromise was Twitter which resulted in 220 million email addresses being leaked, as a result of an API vulnerability. Even one of the most popular technology companies in the industry was vulnerable to an attack, which could have potentially been avoided.
But nothing financial was stolen, it’s not so bad? Despite there being no direct financial loss, the reputational damage was huge – would you want to register your personal information with a company that just had it all leaked to the public? And would you want to keep your account with them if you were already registered? Probably not.
One of the most effective ways to ensure software security is through the implementation of security testing. The process of evaluating the security of a software system or application by identifying potential vulnerabilities. It involves a variety of techniques and tools, including penetration testing, vulnerability scanning, and code analysis.
In this article, we will explore the importance of implementing security testing, including the benefits it provides, and best practices for ensuring its effectiveness.
Application Security Testing (AST) aims to identify various different security issues and flaws, such as insecure data, authentication weaknesses, and exposures to the inner workings of an application. We can use a range of different tools and techniques to perform AST, such as penetration testing, dynamic and static analysis, and code inspections. The importance of any applied strategy is to ensure the application is safe from any potential threats and that sensitive data is protected.
Identifies vulnerabilities: Preemptively identify vulnerabilities and weaknesses in a system before they can be exploited by attackers. This allows organizations to take proactive steps and reduce the risk of a successful attack. This should be carried out as early as possible in the development lifecycle and be followed by security gates as you get closer to production.
Ensures compliance: Often required to ensure compliance with regulations and standards. Failure to comply with these regulations can result in fines, legal action, and damage to reputation. This is becoming more and more common, as applications and development processes must evidence adherence to quality standards and quality gates, before going to a production environment.
Protects sensitive data Helps to protect sensitive data, such as personal information, financial records, and intellectual property. A breach of this data can result in significant damage to an organization's reputation and financial stability. Most organizations follow a zero-trust principle, in which we assume every request could be a potential breach and we always verify them.
Start with a risk assessment: Before conducting security testing, it's important to assess the risks associated with the system being tested. This will help to identify the areas of the system that require the most attention and ensure that testing efforts are focused on the most critical areas.
Use a variety of testing methods: Effective security testing should use a variety of testing methods, including automated scanning tools, manual penetration testing, and code reviews. Each method has its own strengths and weaknesses and using a variety of methods can help to identify a broader range of vulnerabilities.
Test early and often: Security testing should be conducted as early as possible in the development process and throughout the various stages of development, on their way to completion. This will help to identify vulnerabilities earlier on when they are less expensive to fix and reduce the risk of vulnerabilities being introduced into the system later in the development process.
Incorporate security into the development process: Effective security testing is not just about testing the system after it has been developed. It should be incorporated into the development process from the beginning. This includes using secure coding practices, conducting regular code reviews, and implementing security testing as part of the continuous integration and delivery process.
Document and prioritize vulnerabilities: When vulnerabilities are identified, they should be documented and prioritized based on their severity and likelihood of exploitation. This will help to ensure that vulnerabilities are addressed in a timely and effective manner. What you don’t want is to identify a bunch of potential vulnerabilities and they end up at the bottom of the backlog.
Test in production-like environments: Testing conducted in environments that closely resemble the production environment. This will help to identify vulnerabilities that may not be detected in a test environment. It should also reduce the chance for false-positives and lead to more accurate analysis.
SAST is a technique that analyzes source code and identifies security vulnerabilities. It can be used early in the development process to identify potential vulnerabilities and reduce the risk of introducing vulnerabilities into the code.
The Sonar product offerings are a good example of how we can use SAST, it can run at all stages of the software development lifecycle and highlight issues in reliability, security, maintainability and test coverage.
Sonarlint is an extension that can be installed in most code editors and will highlight potential issues as the code is written. SonarCloud can be used as part of your build, code review and quality gate process, it will analyze each commit and provide confidence that vulnerable code cannot make its way to production.
DAST is a technique that tests an application by sending a variety of inputs and analyzing the response. It can be used to identify vulnerabilities that may not be detectable through static analysis and to test the effectiveness of security controls.
OWASP is one of the most recognized organizations dedicated to application security and OWASP ZAP is one of the most popular DAST tools. The top ten security risks are regularly reviewed and updated, below is the list for 2023. The scanning tools can be implemented in many ways – through their desktop application, CLI executable or Docker packaged images.
Penetration testing is a manual technique that attempts to exploit vulnerabilities in a system to identify potential security weaknesses. It can provide a comprehensive assessment of the security posture of an application or network.
OWASP ZAP can also be used for penetration testing, using manual and automated exploration. It has various scan types which will be able to find some of the basic vulnerabilities.
Code review involves manually analyzing code to identify potential vulnerabilities. It can be used to identify vulnerabilities that may not be detectable through automated testing and to ensure that secure coding practices are being followed.
Having discussions and reviews of code is always advised, as you may have missed something or there may be a way to make the code more efficient and secure. In addition you can use tools like SonarCloud to automatically comment and analyze your pull request changes.
The importance of implementing security testing for software applications cannot be overstated. With the increasing number of threats and data breaches, it has become crucial for organizations to ensure that their software applications are secure and protected against potential vulnerabilities.
Security testing helps to identify and address security risks before they can be exploited, protecting sensitive data and maintaining the integrity of the software. By incorporating security testing into the software development life cycle, organizations can ensure that their applications meet the highest standards of security and are better equipped to withstand potential attacks.
Security testing is an essential component of any comprehensive software development strategy, and should be treated with the same attention as any other testing type.
Gary Parker is currently working as a Senior QA Architect, responsible for QA Architecture, tooling, frameworks, and processes. Specializing in front-end web and mobile technologies. With almost 10 years of experience in the QA industry across many different domains, products, and environments. He enjoys writing technical blogs as a way to keep up-to-date with the industry and ensure a deeper understanding of the topics at hand. You can also follow him on Twitter.