Quality Assurance and Project Management

Feb 28 2016   10:31AM GMT

Application Security – Three Levels of Security Testing

Jaideep Khanduja Jaideep Khanduja Profile: Jaideep Khanduja

Tags:
Application security
Security testing

Application Security is a major concern inviting a series of multichannel risks.

Application security is a major concern that needs to be addressed in a systematic and disciplined manner. There has to be a defined process to do so. It can never be done on an ad-hoc basis. With increasing trends of enterprise mobility and web-based solutions, application security has become a critical matter for the product, quality and operations. Application security is, in fact, a major concern that can open multiple doors for a chain of risks. That is why it becomes more important to focus on the issue. The process and procedure might be same for web and mobile based applications on a broader scale. But at the micro level, there would be a number of specific pointers to add for each category separately.

Application Security, Security Testing

Photo credit: mikecogh via VisualHunt / CC BY-SA

When there is a leakage found in any application, the first place to question is not production or development but testing. It is the prime responsibility of quality and testing department to ensure no leakages. In fact, if this leakage is related to security, it might head to a severe action. These days, there have to be security experts in quality department for building specific test cases, test bed, testing environment and use cases in order to ensure a foolproof testing mechanism. There is always a need of this. A saying is quite popular in this regard. It says the more postmortems required to be done indicate a poor shield of quality. It increases your losses to manifold if the hole in the bucket is found at a later stage. The higher is the loss, the later it is identified.

You must follow the following three levels of security testing for apps:

  • Pure Blackbox: Here you test the outside and visible environment created by the app. You need to test, for instance, user types – end users, administrators, super users and so on.)
  • Greybox: You test inside the app but not the coding part. You need to test the logics, logical flow, business cases etc.
  • Static Whitebox: Scan your run code to ensure there are no security lapses or breaches.
  • Dynamic Whitebox: Scan your run code through traversal. You need to check for I/O errors, memory related errors, data handling errors, storage related errors and so on.

It is critical to discover application risks during its incubation and development period. Depending on the web or mobile app you may have to work out a right combination or proportion of the above testing to match your requirements.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: