In the Software industry, Most of the clients have a main requirement which is
“We want the system to be secured”.
Security is a non-functional property of the system, the main goal for securing the system to make this system dependable. So, we can depend on this system and it can perform its excepted functions as required and specified.
Therefore, it is mandatory to run the security testing procedures to ensure that we can depend on this system, but we need also to consider some functional requirements on writing requirements specifications document that help to obtain this goal.
Definition of Security testing
“Security testing is a process to determine that an information system protects data and maintains functionality as intended” Wikipedia
We can summarize that we need security testing on the following:
- Information and access security. Security tests help to find out loopholes that can cause loss of important information or allow the intruder into the systems.
- System stability and availability. Security testing helps to improve the system and finally helps it to work for a longer time (or it will work without hassles for the estimated time).
- System integrity. If involved in the early stages of the development lifecycle, security testing allows eliminating possible flaws in system design and implementation. We need to consider security aspects in the architecture phase.
- Economic efficiency. It’s much cheaper to prevent the possible problem rather than to strive for resolving it and its consequences.
The main objective of software security analysis and testing is the verification that the software exhibits the following properties and behaviors:
- Its behavior is predictable and secure.
- It exposes no vulnerabilities or weaknesses (ideally it contains no vulnerabilities or weaknesses, exposed or not).
- Its error and exception handling routines enable it to maintain a secure state when confronted by attack patterns or intentional faults.
- It satisfies all of its specified and implicit nonfunctional security requirements.
- It does not violate any specified security constraints.
- As much of its runtime-interpretable source code and bytecode as possible has been obscured or obfuscated to deter reverse engineering.