Any piece of software’s development begins with its architecture. A risk assessment should take place on the architecture to make sure security is included from the very beginning. Here are three types of software testing to enforce early security involvement:
- Threat modeling identifies a system’s major software components, threats, security controls, assets, and trust boundaries. Together these describe the attack surface. Analysts identify where:
- Design violates security design patterns
- System omits security controls
- Security controls suffer from misconfiguration, weakness, or misuse
- Architecture risk analysis (ARA) conducts a thorough review of the software design using the following types of analysis:
- Attack resistance analysis
- Underlying framework analysis
- Ambiguity analysis
Architecture risk analysis also often includes verification of architecture flaws through source code analysis or penetration testing.
- A security architecture survey (SAS) evaluates an application’s design and deployment to determine whether it conforms to industry best practices. The results of a SAS are often used for compliance purposes or to drive additional security activities. The goal of the survey is to identify common architecture and design flaws.
Once the architecture is laid out, developers and engineers can benefit from a developer-friendly static analysis tool which can be easily integrated in SDLC and allows developer to deliver better software, faster. This is also referred to as static application security testing (SAST) and can provide remediation advice earlier in the life cycle, helping resolve vulnerabilities before they become a costly, time-consuming mistake.
Written code can also be scanned with static analysis tools to offer an additional depth to the secure code review processes. Thus, finding and eliminating common and critical software security vulnerabilities within source code.
Application security testing
When an application is ready for quality and assurance testing, it’s also ready for security testing. Dynamic application security testing (DAST) is a type of software testing that uses automated tools to identify common vulnerabilities within running web applications or web services—without the need for source code. This solution is ideal for internally-facing, low-risk applications that need to comply with regulatory security assessments. It can also be used for externally-facing applications; however, using DAST alone will not be sufficient.
Based on the type of application, organizations can also choose from the following manual penetration testing options. Each include client-side and server-side testing capabilities. These assessments can be white box (accompanied by source code), black box (testing without access to source code), or gray box (with some information – like configuration files – but without complete access to source code). Additionally, the duration and depth of analysis can be coordinated on a case by case basis.
- Web application security penetration test. The application is written in one of the popular languages. Frameworks are tested for possible injection points and common vulnerabilities.
- While the OWASP Top 10 has many merits, a better practice is to test against the most common vulnerabilities within your own firm.
- Mobile application penetration test. This includes the testing of applications written for the most popular mobile operating systems such as iOS, Android, Windows, and Blackberry.
- Thick clients (desktop) application penetration test. Testing of the application written for desktop consumption.
Infrastructure security testing
The infrastructure is often considered to be one of the most important aspects of maintaining software security. An unpatched piece of software risks exploitation. Leaking sensitive information can, as you probably well know, cause great monetary loss to a firm. Infrastructure testing assists the organization, ensuring that the network is equipped to withstand such issues through the following approaches:
- Network security penetration testing employs automated scanning and a manual testing checklist including test cases for encrypted transport protocols, SSL certificate scoping issues, use of administrative services, etc. Additionally, manual checks are conducted that are not normally found with automated testing. For example, vulnerabilities related to complex routing paths, access control configurations, business logic, and any functionality that is available through the exposed network services.
- Wireless penetrating testing. This engagement is carried out on the client-side with the assessor having access to the wireless network and covers configurations, wireless encryption standards, authentication, etc.
- Secure build of configuration review. This review ensures that the hosts have been properly hardened and patched. Permissions policies, password policies, and security settings are also tested. This can be included as a part of network and wireless security test.
- Red teaming. A combination of network, physical and social engineering techniques. It is used to assess an organization’s security with the client’ staff not being made aware of it. It also allows an organization to analyze its employees’ security awareness and its own readiness against a real-world breach attempt.