Defining a Security Test Strategy

Defining a Security Test Strategy

Software Security Engineering Blog 4

Written by Maheshwar Kanitkar and Hemant Belorkar

Factors to define a security test strategy.

• Scope of security testing.
• Identify risks.
• Prioritization on risks.
• Regulatory Compliance.
• Define threat model to be used (can be based on Operating system specific security threat model, OSSTMM).
• Training requirements.
• Testing during Sustenance.
• Available tools, solutions, cost, time.

Security Testing Strategy Guidelines

 

Wide spectrums of applications following broad patterns pose many challenges for functional security testing. Largely due to lack of time, inadequate reporting and/or co-ordination deficiencies, testers find it difficult to complete their tasks. Integration of functional security testing into the testing phase of the SDLC is an important part of the solution. Additionally, spotlighting the following can help ease the process for testers:

• Functional pattern identification: Sometimes tedious, the pattern identification process is a one-time process of identifying the functional pattern of the application's behaviour for the input. These patterns could be consistent across the functional areas of the application, but testers should not progress forward with this assumption.
• Test case definition: Role matrix, data flows and the technologies used in the functional area help define the test cases. A good approach is to prioritize the test cases based on the impact by running them by the functional analysts and architects. Mapping of impact analysis to the security facet prioritization can help greatly.
• Parameters definition: Various tool kits are available that point out the parameters and their variations for each test case. Output behaviour testing and analysis leads to additional test cases and cross-functional test cases.
• Reporting results: Testing simplification, possible automation in reproducing the security flaws and impact analysis reporting empower management in reviewing and prioritizing remediation strategies.

Application security has been an uphill battle at many organizations, but this year's report on internal threats is a wakeup call that cannot be ignored. With a considerable number of the internal threats originating from applications, functional security testing is one of the most reliable ways to identify internal security vulnerabilities. Vulnerability assessments (VA) and penetration testing (PT) should be performed to determine the risk and attest to the strength of the software after it has been deployed. Although vulnerability assessments and penetration testing are used synonymously by many, they are not the same. Vulnerability assessment is a process of identifying known weaknesses of software. Penetration testing on the other hand is testing the security of the software, simulating a malicious attacker. A part of vulnerability assessment can be penetration testing.

 

Identification & Prioritization on Risks

• Assign severity levels for Availability, Integrity and Confidentiality to the information assets managed by the applications.
• Account for all the data, technologies (this includes any third-party toolkits/APIs) and user types defined in the application .
• Define a role matrix if not already developed for the data access .
• Identify the right information and technology owners.
• Organize a comfortable platform for the information owners to qualitatively or quantitatively define and assign priorities to the identified information and technologies.

 

Regulatory compliance

With the growing regulatory pressures and penalties for non-compliance being very huge, enterprises are finding it difficult to implement latest technologies that can pose a challenge for enterprise security and compliance. Most enterprises do not exactly understand all the regulations and worse is their perception that all the required controls are in place. It requires experienced professionals who thoroughly understand regulations and the risks involved in it, to ensure compliance within an enterprise. Quality Assurance and Testing from independent testing vendors will help organizations to address general regulatory as well as vertical-specific regulatory requirements. Apart from specialized testing services, compliance testing from independent testing specialists verifies whether a system is in compliance with required regulatory requirements and ensures that all applications geared around compliance do what they are supposed to do. On the whole, specialized testing experts with thorough industry knowledge will be able to help enterprises address all the country-specific and country-neutral compliance and regulatory requirements.

The opinions expressed on this discussion room are writer's and don't necessarily represent NTT DATA Canada's positions, strategies or opinions.