testingsense.com

raunak · Joined: 31 Aug 2007 Posts: 7

Please Identifying the scope of security testing :

stephen · Joined: 31 Aug 2007 Posts: 13

The main objectives of security testing are:

• Verify and validate that applications meet the security requirements
• Identify security vulnerabilities of applications in the given environment

Performing a thorough security assessment of a Web application is a complex task, which should be approached like any other software analysis task — with a methodology, testing procedures, set of helpful tools, skills, and knowledge. Manual penetration testing as well as automated tools can be used to uncover critical security vulnerabilities in Web applications. The technology used for development and the vulnerability of the applications determines the correct ratio of automated scanning and manual penetration testing for providing the best possible Web application security coverage.

Security testing starts with vulnerability assessment. Vulnerability scanning scans a network for security holes in the network segments for IP-enabled devices and enumerates systems, operating systems, and applications. Apart from identifying the operating system version, IP protocols, and TCP/UDP ports that are listening, vulnerability scanning also identifies the common security threats, such as weak passwords, files with liberal permissions, security configuration problems and so on.

Security testing strategy for an application or product should be developed for each phase such as development, implementation, deployment, and operation and maintenance. Security testing should preferably be performed by an independent testing team. The test target should be identified using threat model and all interfaces like User Interface (UI), Sockets, file input, API, Mail configuration, and devices should be included under scope. The performance bottlenecks such as network bandwidth, memory, disk space, files, and sockets should be subject to security testing.