Tuesday 27 May 2014

Security Testing

          Security testing is related to the security of data and the functionality of the application. You should be aware of the following concepts while performing security testing:


1. Confidentiality - The application should only provide the data to the relevant party .

     For Example : one customer's transaction data should not be visible to another customer, the
irrelevant personal details of the customer should not be visible to the administrator and so on.

2. Integrity - The data stored and displayed by the application should be correct.

    For Example :
After a withdrawal,the customer's account should be debited by the correct amount.

3. Authentication - It should be possible to attribute the data transmitted in the application to either
the application or the customer. In other words, no one other than the customer or the bank should be
able to create or modify any data.

4. Authorization - The application or a user should only be able to perform the tasks which they are
respectively authorized to perform.

        For Example : A customer should not be able to withdraw more than the balance in their account
without having an overdraft facility, the application should not be able to levy charges on a customer
account without prior customer approval.
5. Availability - The data and functionality should be available to the users throughout the working
period

        For Example :
If the bank's operating times are from 8 a.m. to 8 p.m. on all working days, it
should be possible for a customer to access their account and make the necessary transactions on their
account.

6. Non-repudiation - At a later date, it should not be possible for a party to deny that a particular
transaction or data change took place.

For Example : If a customer withdraws an amount from their account, this should trigger the relevant
actions (posting to their transaction records, debiting their account and sending them a notification etc.).

To avoid any data breach by hackers. You should understand that hackers are not the only people from
whom the application functionality and data need to be protected. There are other people that you need
to consider as well:


1. Disgruntled customers
2. Unhappy or malicious employees of the bank
3. Unprofessional service providers e.g. an unprofessional hosting company that may have access to the
     application and the data
4. Unprofessional auditors


Further, since financial data is so important, banking applications in certain countries have to be
compliant he relevant financial standards. Research the relevant standards that your application needs
to follow.
Creating a secure application involves a lot of work in designing a secure application and
designing a secure 
data store. Even after deployment, the application should be closely monitored to
ensure that the data is being 
accessed by only the authorized people. If any security breach is reported,
it should be analyzed carefully and 
the loopholes plugged.

Now, let us discuss the actual security testing. You should design security tests based on at least the
following:

1. Stated security requirements
2. Security-related standards that the application should follow Assuming that it is a web application,
3. Common vulnerabilities found in web applications
4. Different browser versions on different operating systems (here you should note that implementing
security only on the client-side may not suffice)

In your initial tests, you may want to use automated testing tools.

     e.g.
web vulnerability scanners, password crackers, web proxy tools etc. Based on your learning, you
may want to execute the more complex security tests by hand. Keep yourself updated about the latest
hacks and test them on your application before every release.

No comments:

Post a Comment