Modern applications are built on a tangle of technologies that have been developed over time and then haphazardly pieced together. Every piece of application more specifically web applications stack, from HTTP requests to browser-side scripts, comes with important yet subtle security consequences. Security testing is therefore a very important part of testing applications. Application security testing should address all the measures that needs to be implemented throughout the entire software development life cycle, so that vulnerabilities may be addressed in a timely and thorough manner.
SHIELDCAST: The quarterly security Newsletter from QASource; delivers the best practices, latest updates, tips and the knowledge required for security testing of applications: be it Web, Mobile or Desktop.
Latest Virus/Malware News
- Asacub Android Trojan: From Information Stealing to Financial Fraud
- The Volume of New Mobile Malware Tripled in 2015
Evaluation - Tools & Technologies
Secure Pro is an API security testing paid tool provided by SmartBear. This tool has following features:
- Pre-built Security Scans for SOAP & REST
- Custom Security Scan editor & Security Test Generator
- Scan for Sensitive File Exposure on your API servers
- Check for Weak Authentication
- Security Scan Wizard
Best Practices for
Mobile Application Penetration Testing
Preparing the Security Plan
To test the application, it is recommended to build the security test plan. OWASP Security Cheat sheet provides the overview that security test engineers can use and incorporate in the plan.
Building the Attack Arsenal
Tools that can be used for attacking are:
- Cydia for hacking an application
- Appcrack and DumpDecrypted for Android App
- Android Proxy, ZAP, Tcpdump for network analysis
Preparing Test Cases
Test cases should be prepared and few major areas are as follows:
- Authentication, Authorization and Access Control
- Malicious Input, Fuzzing
- Auditing and Logging
- Exception Handling and Error Handling
- Buffer Overflow
- SQL Injection
- User and Session Management
What Should Testing Report Contain?
Security Threat Details
Information on security threats that can potentially exploit the application.
What is the root cause of the security issue? We can define the security flaw that has been determined.
Testing Technique Used
Which testing technique has helped in finding the issue? Whether it is pen test, security test or source code analysis.
Remediation of Vulnerability
What could be the fix? Do we need any requirement change, code change or any configuration change?
Risk Rating of Vulnerability
What risk it poses to the application. Whether it is Critical, High, Medium or Low.
We would love to hear your feedback, questions, comments and suggestions. This will help us to make us better and more useful next time.
Share your thoughts and ideas at firstname.lastname@example.org
The logos used in this post are owned by the individual companies of each logo or trademark. The logo is not authorized by, sponsored by, or associated with the trademark owner, but QASource is using the logos only for reviewing purposes. The endorsement of the used logos by QASource is neither intended nor implied.