Security testing is the most important testing type for finding vulnerability in the web site. Now a day’s Online transaction have taken place for each web site so security testing is the major activity which needs to be perform in testing phase of software testing life cycle. To gain the trust of customers towards web sites, security confirmation is given positive direction. Detail description of security is explained below.
There are Seven Attributes for Security Testing:
1. Authentication: Authentication is the process for identifying user whether they are allow to access file or data of server. Who will be able to verify the data that answer can be given by authentication. For example, a person needs to give biographic identity to enter in the office. This process is mandatory for most of the application. Only desktop applications don’t use it much as that can be access by a person only. Authentication can be occurred when more than one person will have access of the system. Third party web API, networking systems and servers use authentication.
2. Authorization: Authorization is the process to determine who has permission to go inside. Like after giving proper id and password, User can access data of website or after entering the authentication key user can access all data. Authorization can be a process which allows to access particular part of the system with roles and permissions. We can take example of admin role and customer role in system. As per defined role, they have different permission like admin have all rights to control the system while customer will have rights to see the items and order for same. Customer should not be able to change the price of an item as that permission is not given by admin to customer role. Thus, we can say authorization can be a part of each application or system.
3. Encryption: Encryption is the process to pass out the data through a channel with decryption key which is not known to anyone. Like, some passwords have code word so unauthorized person will not recognize the same. We can also take example of army projects where information can be transferred with decrypted form and It can be understood by army officers only.
4. Confidentiality: W e can connect confidentiality with privacy. It is basically designed to prevent sensitive data from unauthorized person and it makes sure that the right and authorized people can access the data. Confidentiality can be categorized with different methods. For example, while creating an account with some sites, they ask questions in terms of security and when you need to change password for same account, you have to answer it correctly then and only then you will be able to access your personal account.
5. Integrity: Consistency of huge data, accuracy & ethical data can be maintained by Integrity over whole life cycle of application. Data should not be changed or altered by unauthorized person that is controlled with integrity. For example, Confidentiality should not be changed by wrong people. Integrity takes care about file permission and user access control. Version control of an application can be maintained with integrity. Cryptographic is main attribute of integrity. Unauthorized person will not be able to change and replace data thus integrity will protect data.
6. Availability: To main the hardware availability is mainly used. To repair hardware immediately in terms of operating system is big challenge which can be overcome by availability. It is important to keep all necessary system upgrade. To ensure about the information when it requires it is the definition of availability. Providing communication bandwidth and preventing security is also a part of maintain a system. One more advantage of availability is, when any server crash and eclectic problem removes all data of application at that time backups or redundancy will be available to restore the data.
7. Non-Repudiation: This is the process which assures that wrong person cannot contradict something in data. In electronic communication repudiation is mainly used where one person cannot be confirmed as recipient or signing a document. This is usually applies in case of former contract, a communication channel or transfer of the data. The main aim of repudiation is, parties can communicate or transfer document to deny the authenticity of their signature on contract. Thus, parties are the originator of a particular message to transfer.
These are the main and basic attributes which can be taken care while creating any web or mobile application.
Source link http://feedproxy.google.com/~r/SoftwareTestingTutorialsAndAutomation/~3/p5QXkhfPDIY/security-testing-approach-with.html