This is such an important phase in secure software development. We have to make sure that the system is really as secure as required. In other words, the goal of the testing stage is to make sure the system is really secure.
The system can be secured by architecture and of course we follow secure coding practices. But we have to make sure what we ended up is really secure.
There are two types of testing that are security related and must be performed to ensure the system is secure.
- Penetration Testing
- Load Testing
This is special type of testing which simulate an attack on the system. The purpose of penetration testing is to find weaknesses in the system that allow attackers to gain unauthorized access to the system.
The attacker can do whatever he wants including getting data and causing damage to data using this unauthorized access.
Penetration testing protects against,
- Data Leak
- Data Loss
- Data Inconsistency
- Disruption of Service
There are two types of Penetration Testing.
- Black Box
- White Box
Black Box Testing
In this case the attacker (tester) has no prior knowledge on the system. He will be handed over the URL of the system or end point. Then attacker needs to find out how he can crack (or hack) into the system. Naturally first thing he needs to do is to try and gather as much information as possible about the system using sniffing tools, search engines, social media or anything that might provide important intel about the system.
One of the main drawback of this approach is that attacker or the tester might miss some important vulnerabilities as he does not know all the information about the system.
Also this approach can take longer time as attacker needs to gather information first. Then learn about the system. Try again and again until he/she succeeds.
However this will simulate the real-world attacks.
White Box Testing
This is quite the opposite of the black box testing. In this case the attacker is given full details and access such as source code, network, database etc..
The expectation is the attacker will scan all the system’s resources in search for vulnerability. He will not just hack the system, but actively look into the code, the DB, authorization system etc..
As you can see this will be much more comprehensive than black box testing and this would take less time. However this will be simulate real-world attacks.
Grey Box Testing?
In this case attacker or tester has some knowledge on the system such as network and credentials but not direct access to database etc.
These kind of testing is used to simulate an attack where the hacker already penetrated the network perimeter and now tries to hack into the system itself.
This focus will save time and bring us more relevant results. Grey box testing is useful especially if we do not know yet the final network structural or the final hosting platform of our system.
What approach we should use?
What is the best time to conduct these tests?
The best time is to conduct penetration testing is towards the end of the testing phase. Anyway this depends on the project and its life cycle and the model we follow. In that stage most of the functionality testing is done and we have mostly working system.
Another milestone when the penetration testing might be good idea is when we roll out major change.
Who should conduct them?
White Hat Hackers -These hackers are called ethical hackers or hackers that are paid to hack the system. These are special types of testers with unique cyber expertise.
Its good idea to hand over this to outside contractor. The companies employees have prior knowledge. They can not really be unbiased about the tests.
How to conduct penetration testing?
There are basically 4 steps.
- Information Gathering -The attacker tries to learn as much as possible about the system and its implementation.
- Vulnerability Assessment -With all the information gathered the attacker will assess and try to locate potential vulnerabilities.
- Penetration Testing -In this stage attacker actually test the system with information gathered and assessed vulnerabilities.
- Report Results -Attacker summarize its findings with well structure report and probable recommendations to fix the vulnerabilities.
Most penetration testing are done manually, but there are certain tools which we can use to conduct it. This will be much faster than manual pen test. However they are less flexible and less comprehensive.
This is the test that simulate heavy load on the system and makes sure it functions properly. This might sounds like outside the context of security, yes it is. However it is one of the most effective ways for ensuring the system is protected against the disruption. It can be quite close to DDOS attacks.
How do we conduct a load testing?
We can prepare few computers to bomb the system. Also we might want to simulate the load from around world, specially if your system will be using users around the world.
We can continuously monitor the system and its resource usage (CPU, dist IO, Network activities etc..) during the load testing.
Similar to Penetration Test, we can conduct the Load Test during the last phase of the testing stage. Also we can do during the major change or upgrade.
Who can conduct load testing?
Regular QA are not usually good at this. It required special skills and knowledge for the configuration of the testing environment and its tools.
In addition developers must be involved in load testing as they need to monitor server resources or may be restart the system in case it crashed.
Then developers can find out what are reasons to the crash and further optimize the implementation.
What are the steps?
First we need to prepare the scenarios. In this case tester works with developers and users to find out what are the typical use cases as they need to simulate real world use cases.
Then testers needs to build identified scenarios in the load test tools. Later they need to configure the machines to run already built scenarios (e.g scripts, commands etc..)
Lastly trigger the test itself using the configured machines and tools. Then we need to prepare comprehensive report using the statistics from the tools and server side resource utilization metrics.