Standardized Security Testing | QA Perspectives
Security Testing Best Practices and Solutions
Let's talk about security.
Copyrighted design and UI, high quality content, intuitive user experience and all that matters. But it does no good if your confidential data was stolen or leaked somehow which threatens your customers' safety.
Common cases include website traffic being hacked, where clicks are redirected to malware or external websites and worst case customer's sensitive data is stolen.
In the age of data, protecting data is top priority for any businesses offering digital products.
So, in order to verify that a software is capable of protecting data, maintaining the necessary data and identifying threats to the system, companies are required conduct security assessment from time to time.
However, what we found through talking to our clients is that, those security reports are often partial and don't meet industry standards. Another frustration is, at the end of each quarter, most security assessment vendors are fully booked and can't perform last minute requests for product update for example.
That is when SHIFT group started offering security testing as part of one-stop quality assurance solution that meets MASVS, CIS benchmark and more.
6 Principles of Security Testing
The six principles of security testing at SHIFT ASIA include
1) Confidentiality, 2) Integrity, 3) Authentication, 4) Authorization, 5) Availability, 6) Non-repudiation
Examples of what we test:
• Network Security
• System Software Security
• Client-side Application Security
• Server-side Application Security
Security Testing Types
- Vulnerability Scanning
Vulnerability scanning is performed with the help of automated software to scan a system to detect the known vulnerability patterns.
- Security Scanning
Security scan is to identify network and system weaknesses. Then provide solutions to reduce these deficiencies or risks. They can be performed both manually and automatically.
- Penetration Testing
Penetration test is an attack simulation from a malicious hacker. It involves analyzing a specific system to check for potential vulnerabilities from a malicious hacker attempting to hack the system.
- Risk Assessment
In the risk assessment check security risks observed in the organization being analyzed. Risks are classified into three categories: low, medium and high. This test validates control and measures to minimize risk.
- Security Auditing
Security auditing is an internal inspection of applications and operating systems for security defects. An audit can also be carried out via line by line checking of code.
- Ethical Hacking
Ethical hacking is different from malicious hacking. The purpose of ethical hacking is to expose security flaws in the organization system.
- Posture Assessment:
It combines security scanning, ethical hacking and risk assessments to provide an overall security posture of an organization.
When checking system's vulnerability, we by default test using below perspectives
• Authentication function operates according to specifications
• The transmitted data is encrypted according to specifications
• Stored data is encrypted according to specifications
• The log output content is correct
• The log retention period is correct
• Unauthorized monitoring target (device, network, surveillance camera, etc.) is correct
• Correct verification of digital signature
With our standardized process and easy-to-understand reports, clients in financial services and various clients of different verticals take advantage of us.
For any inquiries, please submit your message through contact form.