Matthias Zax, Agile engineering coach, organizer of RBI Test Automation CoP, conference speaker, and author for IT Magazines, spoke about the relevance of chosen topic, security testing, and 10 steps to its successful implementation.
Table of Contents
Why Security Testing Is Worth Your Attention?For many testers and Matthias Zax, in particular, security testing has always been something intangible, although its importance is undeniable. In addition, this type of testing is costly (for example, an external Pen Test), and it significantly slows down the software release cycle time. All these problems required some kind of solution. After all, waiting weeks for software to be ready for deployment is unacceptable.
Confirmation of relevance of the topic in numbers
- 90% of hackers use known software bugs. One of the reasons this is possible is that companies use outdated software libraries, e.g., old Java library. This can be avoided by turning to security testing.
- From 2020 to 2021, the number of hacker attacks increased by 40%. And this year, this figure is only increasing. The reason is the development and cheapening of computing power.
- The damage caused by malware is estimated at $20 billion.
What Is Continuous Security Testing?During security testing, vulnerabilities are discovered, and attempts are made to exploit them. There are three types of it: Vulnerability Assessment, Penetration Testing, and Compliance Testing. There are also 2 groups of security testing:
- Functional security tests (login, logout, password policy, credentials management).
- Non-Functional security tests (OWASP, Usage of components with known vulnerabilities, Compliance checks).
Static Application Security Testing
- Whitebox testing.
- Find vulnerabilities early in SDLC.
- Can’t discover runtime and environmental issues.
- Tools: Sonarcube, Teamscale, OWASP Dependency-Check.
Dynamic Application Security Testing
- Blackbox testing.
- Find vulnerabilities late in SDLC.
- Fault injection techniques.
- Tools: OWASP ZAP, Burp Suite, Gaunlt.
Interactive Application Security Testing
- Combination of SAST and DAST – IAST eliminates the disadvantages of the two previous approaches (such as false positives) and combines their advantages.
- Agent must be installed; it does not come with the tool.
- Apply its analysis to the entire app.
- Learning tool − During dynamic scanning, the tool learns from interaction with test cases and uses this knowledge to create additional ones.
- Tools: Contrast Community Edition etc.
Runtime Application Security ProtectionFor the most part, RASP is not even a testing approach but a monitoring approach. But still, it is essential to know what is happening in your app and recognize a potential attack. So, RASP:
- Works inside the app and plugged into the app – this tool connects to the app and controls all its flows, as well as requests from different IP addresses.
- Continuous security checks on itself.
- Tools: OWASP AppSensor, Contrast Community Edition, etc.
10 Steps to Successful Security Testing
- Join forces with the security department.
- Upskill in security, e.g., get a security coach into your team.
- Train the team in threat modeling.
- Introduce misuse cases (Evil Stories).
- Setup SAST incl. IDE plugins.
- Setup DAST and add it to your pipeline.
- Define metrics and positive trends.
- Setup IAST agent in your testing environments.
- Automate low-hanging fruits for (non) functional security.
- Setup RASP to your production environment.