Quality Testing

Quality is delighting customers

I was joined recently in security testing team in my company. But i am new in this ?

Can you guys please help me....

Views: 353

Reply to This

Replies to This Discussion

Hi Ravinder!
I do not know your level of knowledge regarding security testing. This makes difficult for anyone to start with.
However it is assumed that it is advisable to start from groundlevel.

Security Testing is the process to determine that an IS (Information System) protects data and maintains functionality as intended.The six basic security concepts that need to be covered by security testing are: confidentiality, integrity, authentication, authorisation, availability and non-repudiation.
The most basic premise behind functional testing is that it is meant to validate that the software you are testing fulfills its requirements and it functions as intended.There are usually some basic security tests included in functional testing, typically around items such as passwords and permissions, and whatever login or authentication method is in use.

The Internet has brought about many changes in the way organizations and individuals conduct business, and it would be difficult to operate effectively without the added efficiency and communications brought about by the Internet. At the same time, the Internet has brought about problems as the result of intruder attacks, both manual and automated, which can cost many organizations excessive amounts of money in damages and lost efficiency. Thus, organizations need to find methods for achieving their mission goals in using the Internet and at the same time keeping their Internet sites secure from attack.

**Make network security testing a routine and integral part of the system and network operations and administration.
**Test the most important systems first.
**Use caution when testing.
**Ensure that security policy accurately reflects the organization’s needs.
**Integrate security testing into the risk management process.
**Ensure that systems are kept up-to-date with patches.
**Look at the big picture.
**Understand the capabilities and limitations of vulnerability testing.
** Ensure that systems are kept up-to-date with patches
**Test the most important systems first
**Ensure that system and network administrators are trained and capable
**Integrate security testing into the risk management process
**Make network security testing a routine and integral part of the system and network operations
and administration
_____ JAY ________
1. Process to determine that an Information System protects data and maintains functionality as intended.
2. The security testing is performed to check whether there is any information leakage in the sense by encrypting the application or using wide range of sofware's
and hardware's and firewall etc.
It is a process used to look out whether the security features of a system are implemented as designed and also whether they are adequate for a proposed application environment. This process involves functional testing, penetration testing and verification.

With GFI's free web utility EndPointScan you can scan your network and know within minutes what devices are or have been connected to computers in your network and by whom. Once a scan is completed, GFI EndPointScan will display scan results in a graphical report. The report includes device usage, device threat level and computer risk level.

Scan your system for trojans using this free online trojan scanner. Anti trojan software will allow you to scan and stop trojans from entering your network. A trojan remover is a vital addition to your network security toolbox, allowing you to clean a trojan virus which has already been installed in your system.

Email Security Test
Are you sure your Anti Virus solution is enough? Check whether your email system is vulnerable to email viruses, worms and other threats such as emails with potentially harmful attachments with VBS and CLSID extensions, emails with malformed MIME headers, HTML mails with embedded scripts and more. Includes Outlook and ActiveX vulnerability tests.

Check for high security events happening on your machine, such as users logging on to your machine, accesses to important files on your machine, failed logon attempts, security policy changes to your machine, and more! Use EventLogScan to check that your system is truly secure!

Cross Site Scripting scan
Many businesses have fallen prey to Cross Site Scripting (XSS), as it is one of the most common yet underestimated of web attacks. Acunetix WVS Free Edition allows you to scan your website for XSS vulnerabilities, revealing all the essential information related to it, such as the vulnerability location and remediation techniques.
_______ JAY ________
Hello Members!
Following are some seurity related terms and their definitions which can be useful to security testing personnel as well as general users of computers:::::::::::::::::::
**Malware: Malware is a generic term used to describe malicious software such as viruses, Trojan horses, spyware, and malicious active content.
** Virus: A virus is a manmade program or piece of code that causes an unexpected, usually negative, event. Viruses are often disguised games or images with clever marketing titles such as "Me, nude."
** Worm: Computer Worms are viruses that reside in the active memory of a computer and duplicate themselves. They may send copies of themselves to other computers, such as through email or Internet Relay Chat (IRC).
** Trojan Horse: A Trojan horse program is a malicious program that pretends to be a benign application; a Trojan horse program purposefully does something the user does not expect. Trojans are not viruses since they do not replicate, but Trojan horse programs can be just as destructive.
**Cluster virus: Cluster viruses modify the directory table entries so the virus starts before any other program. The virus code only exists in one location, but running any program runs the virus as well. Because they modify the directory, cluster viruses may appear to infect every program on a disk. They are also called file system viruses.
**Encrypted virus: An encrypted virus's code begins with a decryption algorithm and continues with scrambled or encrypted code for the remainder of the virus. Each time it infects, it automatically encodes itself differently, so its code is never the same. Through this method, the virus tries to avoid detection by anti-virus software.
**Encryption: Encryption is the scrambling of data so that it becomes difficult to unscramble and interpret.
**Hacker: A hacker is a person who creates and modifies computer software and hardware, including computer programming, administration, and security-related items. This can be done for either negative or positive reasons. Criminal hackers create malware in order to commit crimes.
**Macro virus: A macro virus is a malicious macro. Macro viruses are written in a macro programming language and attach to a document file such as Word or Excel. When a document or template containing the macro virus is opened in the target application, the virus runs, does its damage, and copies itself into other documents. Continual use of the program results in the spread of the virus.
**Phishing: Phishing is a form of criminal activity using social engineering techniques through email or instant messaging. Phishers attempt to fraudulently acquire other people’s personal information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an apparently official electronic communication.
**Spyware: Spyware is a wide range of unwanted programs that exploit infected computers for commercial gain. They can deliver unsolicited pop-up advertisements, steal personal information (including financial information such as credit card numbers), monitor web-browsing activity for marketing purposes, or route HTTP requests to advertising sites.
_______ JAY _________
Hi jay..Can you tell me something about penetration point matrix which requres in security testing.
Very detailed information about Security Testing. Thanks Jay!
1. Test authantication and autherigation of the system
2. Security testing attempts to verify that protection mechanism built into a system will protect it from improper penetration
3. How well the system is protecting against unautherized internal and external access
Testing how well the system protects against unauthorized internal or external access, willful damage, etc; may require sophisticated testing techniques.

Dear guys,

Please clarify me?

Hello buddy,

In Agile, the entire testing team is responsible for quality whereas in traditional methods it was only testers that were accountable for software quality.

Agile team members begin imagining test cases the moment the consumer makes known the specifications. Developers code the tests before the actual coding starts and test analysts extend the testing harnesses, all before the code has been developed that implement the user story.

BigData Testing will become really BIG:

We are sitting on a critical amount of BigData today and require to have a powerful plan around BigData Testing. Testing datasets need highly analytical tools, strategies, and frameworks, and is an area that is set to grow big.

Performance Engineering is replacing Performance Testing:

Repeating a cliché – “A good user experience is the main key to a successful product”. Compatible performance across diverse platforms, OSs, and devices determines how much of a market can a product actually capture.

The requirement to give the best experience to users is making companies improve their technologies. They are now moving away from just giving Performance tests to providing Performance engineering.


Security Testing Services


Security testing is one of the types of testing in which security-related issues can be solved by testing experts and try to cover the vulnerabilities. In this complete process, software testers try to protect the data and resources from possible intruders.

 I think my latest article will help you a lot please check here: Top 10 Vulnerability Scanning Tool of 2020

Security Testing is a testing technique used by companies providing qa services all over the globe. It is used to make sure that system and applications are free from any loopholes that may cause a big loss and finding all possible loopholes and weaknesses of a system which might result into a loss of information, keeping in mind the threats and risks which can destroy the functionality and important data of the system/application.

Following are some of the widely used approaches which can be followed while performing security testing:

1. Access to Application:
Under this approach, one can login to the application with all valid and invalid user roles and should verify that he should get restricted to access it with invalid logins.

2. Data Protection:
To follow this approach, tester should make sure that data maintained in database is in encrypted form so that it gets decrypted only on providing valid auth code or password for it.

3. Brute-Force Attack:
Brute-Force Attack is something where hackers can easily access the website or servers by trying different combinations og
usernames and passwords. Testers can approach its testing by providing account suspension mechanism in which application blocks the account when continuous failure attempts are made to login the application.

4. Session Management:
Session management is also a necessary technique in security testing where session should get expire after some period of time if application remains idle.

5. Error Handling:
Error codes returned in case of any bad request or server error type issues should not contain any confidential details related to the application which can be used by any unknown sources. For example, if an application is throwing an error while login so in that case there should be no confidential details of the user or website displayed either in console or any other add- on/plugin which is being used to track that error as these can be used by any third party unknown sources.

By following the above discussed approaches, one can perform testing around the application and can also design test cases accordingly.

Types of security testing:

1. Vulnerability scanning: Under this testing, complete application looks for the loopholes and vulnerabilities in the application.
2. Penetration testing: Under penetration testing, tester needs to test the application by thinking from a Hacker's mind.
3. Ethical hacking: Under ethical hacking, system is hacked by itself to obtain loopholes in the system, the purpose of ethical hacking is to improve the security of the network or systems by fixing the loopholes found during testing.
4. Risk assessment: Risks are measured in terms of security and then those risks are divided on the basis of High, Medium and Low
5. Security scanning: Security testing is performed basically to identify the network loopholes and then analyzed those network weaknesses and resolve them
6. Security review: Security review include whether all the security standards are implemented accurately and consistent throughout the application which covers all the security gaps of the application.

There are many tools available in the market for Security testing but Zed Attack Proxy(ZAP) is one of the best and easy to use tool for security testing for finding loopholes and vulnerabilities in web applications which is compatible with Windows, Linux and Mac OS.



TTWT Magazine





© 2020   Created by Quality Testing.   Powered by

Badges  |  Report an Issue  |  Terms of Service