Quality is delighting customers
Thanks for sharing your thoughts and yeah i have an article on "Best Approach For Security Testing Of Web Applications" and here is the link https://medium.com/@alishahndrsn/best-approach-for-security-testing...
As per practices of quality assurance services, following are some of the widely used approaches which can be followed while performing security testing:
1. Access to Application:
Under this approach, one can login to the application with all valid and invalid user roles and should verify that he should get restricted to access it with invalid logins.
2. Data Protection:
To follow this approach, tester should make sure that data maintained in database is in encrypted form so that it gets decrypted only on providing valid auth code or password for it.
3. Brute-Force Attack:
Brute-Force Attack is something where hackers can easily access the website or servers by trying different combinations og
usernames and passwords. Testers can approach its testing by providing account suspension mechanism in which application blocks the account when continuous failure attempts are made to login the application.
4. Session Management:
Session management is also a necessary technique in security testing where session should get expire after some period of time if application remains idle.
5. Error Handling:
Error codes returned in case of any bad request or server error type issues should not contain any confidential details related to the application which can be used by any unknown sources. For example, if an application is throwing an error while login so in that case there should be no confidential details of the user or website displayed either in console or any other add- on/plugin which is being used to track that error as these can be used by any third party unknown sources.
SECURITY TESTING APPROACH:
We can take the following approach while preparing and planning for Security testing :
Security Architecture Study: The first step is to understand the business requirements, security goals, and objectives in terms of the security compliance of the organization. The test planning should consider all security factors, like the organization might have planned to achieve PCI compliance.
Security Architecture Analysis: Understand and analyze the requirements of the application under test.
Classify Security Testing: Collect all system setup information used for development of Software and Networks like Operating Systems, technology, hardware. Make out the list of Vulnerabilities and Security Risks.
Threat Modelling: Based on above step, prepare Threat profile.
Test Planning: Based on identified Threat, Vulnerabilities and Security Risks prepare test plan to address these issues.
Traceability Matrix Preparation: For each identified Threat, Vulnerabilities and Security Risks prepare Traceability Matrix.
Security Testing Tool identification: All security testing cannot be executed manually, so identify the tool to execute all security test cases faster & more reliably.
Test Case Preparation: Prepare the Security tests case document.
Test Case Execution: Perform the Security Test cases execution and retest the defect fixes. Execute the Regression Test cases.
Reports: Prepare detailed report of Security Testing which contains Vulnerabilities and Threats contained, detailing risks, and still open issues etc.