A few lines of code can wreak more havoc than a bomb”
– Tom Ridge (Former Secretary, Department of Homeland Security, U.S)
In today’s digital age an increasing amount of vital data is being stored in applications. As the number of transactions on the web is increasing significantly, the proper testing of security features is becoming of critical importance. Technology is evolving at a very fast pace and the number of possible security vulnerabilities is also rising. Some research suggests that 75 % of all cyber-attacks occur at the web application level and almost 70% of websites stand at the risk of immediate attack. In the last couple of years, we have witnessed many security vulnerabilities and malware attacks in the form of URL manipulation, SQL injection, Spoofing, XSS (Cross Site Scripting), Brute Force Attack etc. According to a report by Symantec, even in 2015 alone there were more than “430 million new unique pieces of malware”, up by 36% YoY. Clearly, the success of any application in today’s world depends on how secure it is. Why would anyone use an application for personal or business use if they knew that it was vulnerable? It’s really as simple as that!

Security testing can be considered as one of the most important areas of testing that reveals the flaws in an applications data protection security mechanism. Fixing these ensures that confidential data is not exposed to individuals or identities or entities for whom it is not meant. Only authorized users would be able to perform authorized tasks on the application and no user is able to change application functionality in an unintended manner.

Today, testing is a core part of the development process owing to rise of development methodologies such as Agile, Test Driven Development, Behavior Driven Development, DevOps etc. Security testing too, like other testing areas should ideally begin at the first phase of the product development to ensure a high-quality end product. Let’s look at some areas where security testing should be included in the product development.

1. Information Gathering:
   Security Testing should start from the requirement gathering phase itself to understand the security architecture that the application would demand. Understanding the business requirement, objectives and security goals can help testers to factor in the security factors to achieve PCI compliance. The testing team must conduct a security architecture analysis and understand the security demands of the application under test. Once this is done, the testing team should create an elaborate security test plan and test suites. The plan should identify the tools set to be used, the tests that should be manual and automated, and outline the vulnerabilities that need to be covered.
2. Unit Testing:
   Security testing at the unit testing phase should be conducted to discover vulnerabilities in the development phase. Using static analytics tools, vulnerabilities can be identified based on a set of fixed patterns. By starting security testing in the unit testing phase, testers can dramatically reduce the number of bugs that make their way into the Black Box testing phase. This also has the advantage of discovering vulnerabilities with source code.
3. Integration Testing:
   Black Box security testing can be introduced in the Integration Testing phase to identify security vulnerabilities before the application is deployed. Doing this helps in uncovering implementation errors and bugs that impact the application security that may have gone unnoticed in the unit testing or White Box testing phase. Security testing conducted during integration testing also uncovers security complexities and concerns that stem from interactions with the underlying environment or during interactions with third party components and the whole system.
4. Application Deployment:
   n the application deployment phase, testing teams can conduct Penetration Testing to discover security threats that still exist in the system and assess if there are any open gates that leave the application vulnerable to malicious attacks. Along with uncovering these vulnerabilities, security testing conducted in this phase also helps in regulatory compliance and in saving network costs later.
5. Post Production:
   While security tests are generally done in the pre-production phase, however running some security tests post production helps in making an application even more secure. This can help ensure high performance and that the use of scanners for security testing has not impacted the application in a negative manner. This is also a good time to assess the efficiency of the SSA(Software Security Assurance) program in use.

For security testing, the testing team needs to focus on identifying areas where a product is most vulnerable and address those comprehensively. By starting security testing early in the development, testers can understand the application better and find the chinks even in the most complex application designs. A thoroughly tested code, ensures that the end product is robust and more secure – and isn’t that what we all want?