 |
 |
 |
Security Testing: The Process to determine that an IS (Information System) protects data and maintains functionality as intended.
The six basic security concepts that need to be covered by security testing are: confidentiality, integrity, authentication, authorization, availability and non-repudiation.
The six basic security concepts that need to be covered by security testing are: confidentiality, integrity, authentication, authorization, availability and non-repudiation.
Bringing the disparity between Smoke Testing and Sanity Testing
There are occasions where some testing communities often equated Sanity testing and Smoke testing. Below table draws the difference between the two:
There are occasions where some testing communities often equated Sanity testing and Smoke testing. Below table draws the difference between the two:
Website Security - Smoke Test Plan
Security checklist for websites
No matter whether you host your website yourself (on your own server) or on a paid hosting server, You need to make sure it is hacker-safe and doesn’t compromize on security threats.
* Perform Data validation on the server-side:
Many Web forms include some JavaScript data validation. If this validation includes anything meant to provide improved security, that validation means almost nothing. A malicious security cracker can craft a form of his own that accesses the resource at the other end of the Web page’s form action that doesn’t include any validation at all. Worse yet, many cases of JavaScript form validation can be circumvented simply by deactivating JavaScript in the browser or using a Web browser that doesn’t support JavaScript at all.
* Manage your Web site via encrypted connections:
Using unencrypted connections (or even connections using only weak encryption), such as unencrypted FTP or HTTP for Web site or Web server management, opens you up to man-in-the-middle attacks and login/password sniffing. Always use encrypted protocols such as SSH to access secure resources, using verifiably secure tools such as OpenSSH. For this and many other useful tips, check out StopBadware.org’s Tips for Cleaning and Securing Your Website.
* Use strong, cross-platform compatible encryption:
Believe it or not, Secure Socket Layer (SSL) is not the top-of-the-line technology for Web site encryption any longer. Look into TLS, which stands for Transport Layer Security — the successor to Secure Socket Layer encryption.
* Use Backup & redundancy to protect the Web site:
Backups and server failover can help maintain maximum uptime. While failover systems can reduce outages due to server crashes and server shutdowns, that isn’t the only value to redundancy. The duplicate servers used in failover plans also maintain an up-to-date duplication of server configuration so you don’t have to rebuild your server from scratch in case of disaster. Backups ensure that client data isn’t lost. Of course, failover and backup solutions must be secured as well, and they should be tested regularly to ensure that if and when they are needed, they won’t let you down.
* Check your server configuration.
Apache has some security configuration tips on their site and Microsoft has some tech center resources for IIS on theirs. Some of these tips include information on directory permissions, server side includes, authentication and encryption.
* Stay up-to-date with the latest software updates and patches.
A common pitfall for many webmasters is to install a forum/plugin, widget or blog on their website and then forget about it. It’s important to make sure you have all the latest updates for any software program you have installed.
* Regularly keep an eye on your log files.
Making this a habit has many great benefits, one of which is added security. You might be surprised with what you find.
* Check your site for common vulnerabilities.
Avoid having directories with open permissions. This is almost like leaving the front door to your home wide open, with a door mat that reads “Come on in and help yourself!” Also check for any XSS (cross-site scripting) and SQL injection vulnerabilities. Finally, choose good passwords. The Gmail support center has some good guidelines to follow, which can be helpful for choosing passwords in general.
No matter whether you host your website yourself (on your own server) or on a paid hosting server, You need to make sure it is hacker-safe and doesn’t compromize on security threats.
* Perform Data validation on the server-side:
Many Web forms include some JavaScript data validation. If this validation includes anything meant to provide improved security, that validation means almost nothing. A malicious security cracker can craft a form of his own that accesses the resource at the other end of the Web page’s form action that doesn’t include any validation at all. Worse yet, many cases of JavaScript form validation can be circumvented simply by deactivating JavaScript in the browser or using a Web browser that doesn’t support JavaScript at all.
* Manage your Web site via encrypted connections:
Using unencrypted connections (or even connections using only weak encryption), such as unencrypted FTP or HTTP for Web site or Web server management, opens you up to man-in-the-middle attacks and login/password sniffing. Always use encrypted protocols such as SSH to access secure resources, using verifiably secure tools such as OpenSSH. For this and many other useful tips, check out StopBadware.org’s Tips for Cleaning and Securing Your Website.
* Use strong, cross-platform compatible encryption:
Believe it or not, Secure Socket Layer (SSL) is not the top-of-the-line technology for Web site encryption any longer. Look into TLS, which stands for Transport Layer Security — the successor to Secure Socket Layer encryption.
* Use Backup & redundancy to protect the Web site:
Backups and server failover can help maintain maximum uptime. While failover systems can reduce outages due to server crashes and server shutdowns, that isn’t the only value to redundancy. The duplicate servers used in failover plans also maintain an up-to-date duplication of server configuration so you don’t have to rebuild your server from scratch in case of disaster. Backups ensure that client data isn’t lost. Of course, failover and backup solutions must be secured as well, and they should be tested regularly to ensure that if and when they are needed, they won’t let you down.
* Check your server configuration.
Apache has some security configuration tips on their site and Microsoft has some tech center resources for IIS on theirs. Some of these tips include information on directory permissions, server side includes, authentication and encryption.
* Stay up-to-date with the latest software updates and patches.
A common pitfall for many webmasters is to install a forum/plugin, widget or blog on their website and then forget about it. It’s important to make sure you have all the latest updates for any software program you have installed.
* Regularly keep an eye on your log files.
Making this a habit has many great benefits, one of which is added security. You might be surprised with what you find.
* Check your site for common vulnerabilities.
Avoid having directories with open permissions. This is almost like leaving the front door to your home wide open, with a door mat that reads “Come on in and help yourself!” Also check for any XSS (cross-site scripting) and SQL injection vulnerabilities. Finally, choose good passwords. The Gmail support center has some good guidelines to follow, which can be helpful for choosing passwords in general.