close search bar

Sorry, not available in this language yet

close language selection
«
»
 

What are the different types of software testing?

Posted by on Monday, October 9, 2017

journey through the different types of software testing
With a wide array of security testing solutions, let’s examine how different types of software testing can help organizations achieve security goals.

When do I need security testing?

Software security testing is a type of security testing that aims to reveal loopholes and weaknesses in the security mechanism of applications and systems. When these weaknesses are exploited, the results could include:

  • Information loss
  • Monetary loss
  • Damage to reputation
  • Customer dissatisfaction
  • Life risk

Conducting a security assessment is a must if an organization wants to ensure that their customers gain and retain their trust. The prime objective of security testing initiatives is to determine whether an application’s data and resources are protected from potential intruders and if the application is vulnerable to common and sophisticated attacks.

What does security testing consist of?

Security testing not only refers to testing the end product for security issues. It also ensures that plenty of proactive assurance techniques are being built in from the beginning of software development. A good security testing practice accounts for security assurance activities such as penetration testing, code review, and architecture analysis as integral elements of the development effort.

A security assessment normally starts by ensuring that the application includes the following attributes:

  • Authentication
  • Authorization
  • Confidentiality
  • Availability
  • Integrity
  • Non-repudiation
  • Resilience

While security verification (i.e., testing) is an identified phase within the software development life cycle (SDLC), it should be followed throughout the development process. Here’s how to ensure your firm is including security throughout development and implementing critical attributes.

What types of software testing can help my firm meet security goals?

Architecture risk assessment

Any piece of software’s development begins with its architecture. A security risk assessment should take place on the architecture to make sure security is included from the very beginning. Here are three types of software testing to enforce early security involvement:

Threat modeling identifies a system’s major software components, threats, security controls, assets, and trust boundaries. Together these describe the attack surface. Analysts identify where:

  • Design violates security design patterns
  • System omits security controls
  • Security controls suffer from misconfiguration, weakness, or misuse

Architecture risk analysis (ARA) conducts a thorough review of the software design using the following types of analysis:

  • Attack resistance analysis
  • Underlying framework analysis
  • Ambiguity analysis

Architecture risk analysis also often includes verification of architecture flaws through source code analysis or penetration testing.

A security architecture survey (SAS) evaluates an application’s design and deployment to determine whether it conforms to industry best practices. The results of a SAS are often used for compliance purposes or to drive additional security activities. The goal of the survey is to identify common architecture and design flaws.

Once the architecture is laid out, developers and engineers can benefit from a developer-friendly static analysis tool which can be easily integrated in SDLC and allows developer to deliver better software, faster. This is also referred to as static application security testing (SAST) and can provide remediation advice earlier in the life cycle, helping resolve vulnerabilities before they become a costly, time-consuming mistake.

Written code can also be scanned with static analysis tools to offer an additional depth to the secure code review processes. Thus, finding and eliminating common and critical software security vulnerabilities within source code.

Application security testing

When an application is ready for quality and assurance testing, it’s also ready for security testing. Dynamic application security testing (DAST) is a  type of software testing that uses automated tools to identify common vulnerabilities within running web applications or web services—without the need for source code. This solution is ideal for internally-facing, low-risk applications that need to comply with regulatory security assessments. It can also be used for externally-facing applications; however, using DAST alone will not be sufficient.

Based on the type of application, organizations can also choose from the following manual penetration testing options. Each include client-side and server-side testing capabilities. These assessments can be white box (accompanied by source code), black box (testing without access to source code), or gray box (with some information — like configuration files — but without complete access to source code). Additionally, the duration and depth of analysis can be coordinated on a case-by-case basis.

  • Web application security penetration test. The application is written in one of the popular languages. Frameworks are tested for possible injection points and common vulnerabilities. (While the OWASP Top 10 has many merits, a better practice is to test against the most common vulnerabilities in your own firm.)
  • Mobile application penetration test includes testing applications written for the most popular mobile operating systems such as iOS, Android, Windows, and Blackberry.
  • Thick clients (desktop) application penetration test Testing of the application written for desktop consumption.

Infrastructure security testing

The infrastructure is often considered to be one of the most important aspects of maintaining software security. An unpatched piece of software risks exploitation. Leaking sensitive information can, as you probably well know, cause great monetary loss to a firm. Infrastructure testing assists the organization, ensuring that the network is equipped to withstand such issues through the following approaches:

  • Network security penetration testing employs automated scanning and a manual testing checklist including test cases for encrypted transport protocols, SSL certificate scoping issues, use of administrative services, etc. Additionally, manual checks are conducted that are not normally found with automated testing. For example, vulnerabilities related to complex routing paths, access control configurations, business logic, and any functionality that is available through the exposed network services.
  • Wireless penetrating testing is carried out on the client-side with the assessor having access to the wireless network and covers configurations, wireless encryption standards, authentication, etc.
  • Secure build of configuration review ensures that the hosts have been properly hardened and patched. Permissions policies, password policies, and security settings are also tested. This can be included as a part of network and wireless security test.
  • Red teaming is a combination of network, physical and social engineering techniques. It is used to assess an organization’s security with the client’ staff not being made aware of it. It also allows an organization to analyze its employees’ security awareness and its own readiness against a real-world breach attempt.

Cloud security review

Cloud security reviews are becoming an essential type of software testing as more and more companies deploy their infrastructure on cloud services like AWS, Azure, and Google Cloud. A cloud security assessment starts with understanding of the application’s business and technical context via document review and interviews with key stakeholders. Next, the application’s configuration is reviewed for security gaps, focusing on in-scope services and regions.

Embedded security

Embedded security is different from other types of software testing methods as it is typically specialized for the particular hardware that it runs on. The testing of embedded system includes firmware analysis and hardware security testing. Industries dealing in medical devices, automotive, and avionics commonly utilize embedded devices.

Types of software testing summary

Building reliable software is the usual axiom of the software companies. This also means that the application can protect the data that it handles. There are quite a few types of software testing to choose from. Organizations should strive to understand the kind of security testing that they can benefit from. They should also attempt to prioritize efforts to achieve the level of security required for their industry (at the very least).

Set off on a journey to test your applications at every depth.

Get started

This post is filed under Managing security risks.
 
Arvinder Saini
Posted by

Arvinder Saini

Arvinder Saini

Arvinder Saini is a senior security consultant at Synopsys. He has 4+ years of experience performing architecture security reviews and penetration testing thick client, web, and mobile applications. He also delivers threat modeling training to Synopsys clients. Arvinder holds a Master's in Information Security from Georgia Institute of Technology.

SEE AUTHOR ARCHIVE

More from Managing security risks

Subscribe
Related Tags