When it comes to security testing, I have seen many testers attempt to perform security tests like SQL Injection, Cross-Site Scripting, File Upload Vulnerabilities, or other advanced security tests. The reality is that most software testers do not have the experience or skills to perform these types of security testing. This includes me.
Testers can enter some simple SQL into a text field like “1=1” or “drop table” (and a few other characters but WordPress won’t let me save this post if I added the valid SQL injection string here, so you will need to do your own research), but the reality is that these SQL injections are the most basic form of SQL injection. No business application would be implemented using SQL queries in the backend where these types of injection would cause issues. A correct design of the application and following industry standards should be used anyway.
There are some skilled people out there who can test security, but most testers cannot. However, there are some types of tests that can be performed by testers that assist with securing an application. Let’s look at some of these.
Input Validation Testing
Testers can perform input validation tests to ensure that the application properly handles various types of input. This includes inputting special characters used in SQL into text fields to see if the application properly processes these inputs or not. Testers should ensure that input fields cannot accept more characters than can be saved into a database column or certain characters are not accepted, both on the client side (if applicable) and on the server side. These types of tests should be done whether a tester is testing security or not.
Error Handling Testing
Testers should ensure that the application does not disclose sensitive information in error messages. They should look for generic error messages that don’t reveal system information or provide hints to potential attackers. It is ok (and beneficial even) for stack traces to be displayed in the Dev and Test environment, but it’s a security issue if stack traces are displayed in error messages in a Prod environment. I am guessing there are some exceptions to this, but for the most part, no stack traces in production or any outside facing environment (UAT, Prod).
A CM person/group or the development team should be able to use configuration files to turn global error handling on or off based on the deployed environment.
Authentication and Authorization Testing
Verify that the authentication process is robust. Testers can check for weak passwords or try basic brute-force techniques. They can test if the application locks out accounts after a certain number of failed attempts. Some of these tests are based on specific requirements of the application.
Additionally, testers can verify that users are only able to access functionalities for which they have permission. Again, this should all be considered standard testing to verify the application is working as it should.
URL Manipulation Testing
By manipulating URL query parameters, testers can check if the application exposes sensitive information or allows unauthorized access to different parts of the application. If query parameters are used, the tester needs to verify a user can only access information he has permission for. This is performing basic tests to ensure requirements are being met and the application is working as it should.
Security Testing
Most testers are not security testers. A few testers might have the skills to test Session Management Testing, File Upload Vulnerabilities, SSL/TLS Checks, OWASP Top Ten, or Configuration Testing like unnecessary services running on a server, open ports, and other misconfigurations that could lead to security vulnerabilities. I have seen where management has testers attempt to perform some of these tests to check a box. It’s not valid security testing unless the testers have the skills to perform the testing.
Conclusion
Have your testers test the application’s functionality and test input validation, error handling, authentication, URL manipulation, and the like. These are tests any tester on the test should be doing already. Most organizations need to get an outside consultant to perform the other security tests. Industry standard design and code implementation should take care of most of the security flaws.