Certified QA Professionals
As the use of web and mobile applications grows, vulnerabilities increase as well. Valuable client information and consumer trust can be lost in the blink of an eye if proper precautions aren’t taken. Good security starts with mitigating risk at the early stages of development and goes on with a continuous process throughout the life of the application. Periodic assessments must be done and security training never ends.
The methodologies involved with software security are extensive, complex, and require specific expertise. Developers tend to neglect security due to its complexity, so it’s important that specialists are either contracted or made part of the team both before, during, and after the application development. Prior to development, security specialists review and adapt security requirements and architecture. During development, security tests are executed and reviewed until the security is assessed to be sufficient. Once the application is in production, security service and response processes are put into place along with a continuous security review at appropriate intervals.
QA Mentor uses one of three different security testing methodologies depending on the application, development status, and development methodology.
Agile Security Testing
This method of testing is driven by iterations in which security requirements are translated into automated security test cases. By promoting test driven development in this way, security tests are created before the system even exists.
Step 1: Initial Scoping
At this time we also develop the metrics criteria to be used for the duration of the project.
- Number of Policy Violations
- Percentage of weak passwords
- Number of Susceptible Interfaces
- Number of Defects and their Severity
- Cost per Defect
- Number of Security Layers
- Percentage of System Formally Assessed
Step 2: Design Review
This phase starts with a review of the security requirements. We make sure the following sections are complete, unambiguous, and lacking any gaps in the requirement definitions.
- User Management
- Data confidentiality
- Session management
- Tiered systems segregation
Step 3: Development Walkthroughs and Reviews
During development, the security team will systematically perform code walkthroughs with the developers and architects in order to gain a high level of understanding of the code. Next, security and development teams perform code reviews together to look for security defects.
Step 4: Deployment
Once the code has been deployed, we begin configuration management testing and penetration testing – if applicable.
Step 5: Maintenance
Just because the application is in production doesn’t mean the security testing is done. Operational reviews are scheduled for periodic checks on security risks and application health.
Open Web Application Security Project (OWASP) Methodology
The OWASP is a non-profit project that enables organizations to develop and maintain secure web applications. Their security testing framework is based on a generic development model which makes it easy for organizations to pick and choose what will work in their SDLC. QA Mentor uses the OWASP security testing framework as a foundation for one of our security testing methodologies.
Step 1:Obtain Security Requirements
Security requirements are identified by creating Abuser Stories and Misuse Case models – a take on the Use Case and User Stories. By creating these models, testers can pull security requirements from the scenarios and create appropriate reference points for requirement tests. These scenarios are developed by determining how a malicious user might misuse or abuse the system. Doing this step as a team, which is common in Agile methodology, makes it easier for the whole team to relate to security issues and determine the best way to handle them.
Step 3: Automate Security Tests
To fully benefit from Agile, automation must be employed as much as possible. There are many security tools out there to make security testing automation easier. Automating the security tests not only speeds up testing, but it increases confidence in the system. Depending on the application and architecture, QA Mentor utilizes tools such as HP Fortify Software Security Center, HP WebInspect, IBM Rational AppScan, and Beyond Security.
Step 2: Employ Testable Architecture
Most web applications have three or more layers of architecture involved. Creating a testable architecture involves adding at test layer on top of each of the application layers. This makes it possible to employ various security testing techniques throughout the development lifecycle. Testing can be carried out on each layer, and combinations of all layers. Since many developers and architects don’t often consider security, creating test layers that interact and directly test the layers brings developers and architects into the security testing. This increases their security knowledge and gives them insight into how to develop secure system as well as how to remedy security issues.
QA Mentor employs a structured and ongoing penetration testing methodology that involves using tools and methods in the same way that a malicious user would.
Step 1: Build Threat Model
Similar to the misuse case and abuser stories, the threat model is a detailed description of the risks and threats associated with the application.The model will give an overview of the vulnerabilities that must be present in order for a threat to be realized and also requires thinking like an attacker. This kind of detail helps security testers break the threat down into smaller parts.
Step 2: Create Test Plan
The security test plan is a road map for the security testing effort. A high level overview of the test cases, the plan also outlines any exploratory testing that will be performed, test design, and execution plans. Our test plans include deliverables and descriptions, a timetable of activities, and logistics such as the necessary people and resources.
Step 3: Execute Test Cases
This step is pretty self-explanatory. Generally security test execution is divided into four main groups. Dependency, which includes vulnerabilities in the file system, registry or libraries; User Interface, which includes attacks such as SQL injection and XSS; Design, which looks for things like unsecured ports and default accounts; and Implementation, which looks for incorrect or missing input validation.
Step 4: Create Problem Report
The problem report is a crucial element as it provides proof of the presence of vulnerabilities. It covers the steps to reproduce, the severity of the vulnerability, and the exploit scenarios.
Step 5: Perform Postmortem
A very important part of security testing, the postmortem meeting involves the entire security team. Member analyze the bugs found and work to determine why the vulnerabilities were missed in development. By identifying how the security holes were missed, the process can be improved for future projects.
We’re here when you need us. If you have questions about anything on our site or our services, or if you are ready to start a consultation, we want you to contact us so we’ve tried to make it easy.
Please complete the form and one of our QA Expert Specialists will be in contact within 24 hours.
Alternatively, drop us an email at firstname.lastname@example.org or give us a call at 212-960-3812