Software testers are sometimes unable to cope with the verification of security requirements because of their very technical nature. In this post, I will give you some guidance and orientation which you can use right away for your application security testing activities.
Step 1 – Static Application Security Tests
First of all, make sure that static application security testing or secure code review according to security standards such as OWASP top 10, SANS top 25 or PCI will be conducted. Bear in mind that vulnerabilities have to be eliminated from the root, which is the source code. You can do a manual code review, or even better, an automatic analysis using professional or freeware tools. Also, please verify the security risks related to open source libraries used by your application under test.
Step 2 – Dynamic Application Security Tests
Lastly, your testing activities should also include so-called business security tests, which focus on sensitive areas such as authentication, authorization, and session management. Also, I recommend paying attention to login procedures and permission management of applications under test. Conduct positive and negative tests for those critical areas mentioned above. Cation scans or penetration tests should be executed during system or user acceptance testing.
Step 3 – Business Security Tests
Lastly, your testing activities should also include so-called business security tests, which focus on sensitive areas such as authentication, authorization, and session management. Also, I recommend paying attention to login procedures and permission management of applications under test. Conduct positive and negative tests for those critical areas mentioned above.
Lastly, your testing activities should also include so-called business security tests, which focus on sensitive areas such as authentication, authorization, and session management. Also, I recommend paying attention to login procedures and permission management of applications under test. Conduct positive and negative tests for those critical areas mentioned above. Cation scans or penetration tests should be executed during system or user acceptance testing.