What is Security Testing?
Security testing is a type of software testing that is used to identify threats, risks and vulnerabilities in a software application or IT environment to decrease the uncertainty on the potential to detect, prevent or mitigate malicious cyber-attacks which may result in the loss of data, reputation and revenue.
Manual Testing vs Automated Checking
The biggest difference between manual and automated approaches is who executes the testing. Manual testing is done by a human tester and with automated checking, the tool does it unsupervised. Both have their strengths and weaknesses. Manual testing is labour-intensive and can be inconsistent, but it better handles complex scenarios vs automated checking which requires coding and test maintenance but is much faster and more repeatable. All forms of testing and checking typically need human input to analyse the results and to make recommendations for remediation, but checking can provide rapid feedback and cover basic, predictable and highly repetitive tasks far more effectively.
Types of Security Testing
There are multiple types of software security testing:
- Vulnerability Scanning – An automated scan to identifyknown/published security flaws and vulnerabilities in software and deployed environments.
- Static Analysis – Assessment of source code for common vulnerabilities and syntactic errors that may introduce threat vectors when compiled / deployed.
- Security Scanning – Testing the impact of malicious inputs on operations to provide evidence that systems are safe and reliable.
- Penetration Testing (Pen-testing) – Simulating a real-time cyber-attack against software by a manual, trusted certified security expert to understand the strength of the security against attacks.
- Security Audit/Review – A structured process to review/audit against defined standards.
- Ethical Hacking – Broader than pen-testing, includes a multitude of hacking methodologies within the software.
- Risk Assessment – Identify, analysing and classifying (critical, high, medium, low) security risks of software.
- Posture Assessment – Assessing the overall security posture of the organisation, using a combination of security scanning, ethical hacking, and risk assessment.
The most common security testing method is penetration testing (pen testing). It is a core tool for analysing the security of IT systems, but it’s not a magic bullet.
The pros and cons of security testing
Nine23 partner, Fortinet shares the pros and cons of penetration testing:
Pros
- Finds Holes in Upstream Security Assurance Practices
- Locates Both Known and Unknown Software Flaws
- Can Attack Any System
Cons
- Labour-intensive and Costly
- Results in Bugs and Flaws that will need to be subsequently addressed and re-tested
The current guidance – NCSC
According to the NCSC, testing during software development is well-recognised as good practise. “It helps you gain confidence that the code you are developing is functioning as intended.” Testing for issues and correcting them early in the lifecycle of services is a lot more cost effective and secure than attempting to address issues later. This is one of the key components of a “shift left” approach to security.
The NCSC recommends that HMG organisations use testers and companies which are part of the CHECK scheme. Non-governmental organisations should use teams qualified under one of these certification schemes: CREST, Tiger scheme, Cyber Scheme.
Read the 11 Actions listed by the NCSC for useful advice around security testing.
