Arunkumar Khannur's Software Testing Knowledge Center
  The Challenges of Security Testing
  • Most vulnerabilities are high-priority: A security tester has to deal with an exponentially larger test space than a functional tester. While doing functional testing it is possible to make trade-offs in resources and coverage. As part of the planning phase, the test analyst can narrow the scope of testing by focusing on those parts of the application that are most critical from a business point of view, plus those that are most frequently used. While testing all parts of the application would be ideal, budgetary constraints force trade-offs: the product is released with certain non-critical bugs identified, but not fixed. In security testing, however, testers do not enjoy this luxury. Any trapdoor, however obscure, has the potential for compromising the application. A vulnerability that is present in a rarely used part of the application is just as likely to cause damage as one on the application’s log-in page.
  • Need to test hidden parts of the application: A functional tester is primarily concerned with testing what is exposed by an application’s interface. Additionally, he may have to test the application’s backend interfaces. A Performance Tester may need to make sure that the system’s backend can stand up to the Load levels it is likely to be subjected to in deployment. In all these cases, the test target is defined by the application itself. That is not the case in security testing. The security tester must defend against a variety of unspecified attacks:
    • An SQL injection attack through UI controls (e.g. textboxes, radio-buttons, drop-downs, etc.)A hidden POST parameterA GET parameter
    • A cookie value
  • Need to protect application from willful damage: In the functional testing phase, testers must consider whether the application under test will continue to function as expected if the user were to perform normal or at worse random actions; they are not expected to validate or verify the application’s behavior following a user’s modifying the value of a cookie. A security tester, on the other hand, must consider all the ways that a user might willfully damage the application under test. Naturally, this results in a manifold increase in the number of areas that need to be considered during security testing.
Khannur's Book
Arunkumar Khannur, Software Testing - Techniques and Applications, Published by Pearson Publications, 2011 (ISBN:978-81-317-5836-6; Pages:341 + xxii)
Follow Khannur
Khannur's Company
ISQT Process & Consulting Services Pvt. Ltd., Bangalore, INDIA
Khannur's Software Testing Forum
 Contact Khannur
ISQT Process & Consulting Services Pvt. Ltd.
#732, 1st Floor, 12th Main,
3rd Block, Rajajinagar,
Bangalore - 560010, INDIA
Phone: +91 80 23012511
Skype: arun.isqt