Website/application development is the right decision made by organizations/companies in supporting the business operational processes they run. Every development/creation of an organization/company website must always pay attention to the security side of the website/application to be developed, otherwise the system developed will bring losses to the company/organization and customers or other parties.

Security applied in business operational processes in general is to protect important data and information in the system so that it is not accessed by unauthorized parties (parties who do not have authority). If the system that is made secure is successfully penetrated, then by parties who do not have the authority, the victims will be the reputation and customer confidence in the organization/company.

To overcome security problems with data and information, security testing is needed in every application, website, and system that will be developed by the company/organization.

Definition of Security Testing

Security Testing is a type of test that aims to determine the security vulnerabilities of the system being developed. Not only that, security testing also ensures that the data and information and resources in the system have good protection from intruders. By finding all the gaps and security of the system being implemented/developed, the company/organization can prevent the loss of important data and information as well as other losses such as loss of company/organization reputation.

Security testing of business operational systems must be done every time there is a change in the developed system. Even so, companies/organizations must conduct regular testing because every year information security attacks continue to increase rapidly. By conducting security testing regularly, companies/organizations can ensure that the systems used and implemented in their business operational processes have a good level of security.

There are 4 main areas where security tests will be carried out on websites/applications, the four areas are:

1. Network Security. Tests carried out with the aim of finding gaps and vulnerabilities in the implemented network infrastructure.
2. System Software Security. Tests conducted to measure the level of weakness on the security side of various software implemented in the company/organization such as operating systems, databases, and others.
3. Client-side Application Security. Tests conducted to detect vulnerabilities and measure the level of security on client/user computer systems.
4. Server-side Application Security. Tests carried out with the aim of ensuring that the server side has a good and strong level of security and is able to block and handle various security intrusions or threats.

Types of Security Testing

Vulnerability Scanning

Vulnerability scanning or commonly referred to as vuln scan is a security test carried out through automated software to find security vulnerabilities in the system. These security vulnerabilities include SQL Injection, Cross site Scripting, and other server configurations that can threaten security.

Vuln scans are often used throughout the company/organization network. It is important to know that Vuln scans are under the supervision of industry standards and government regulations that apply to improve the security structure in the system implemented in a company / organization.

Vulnerability Scanning has several types of scans, which are as follows.

• External Vulnerablity Scans are vulnerability assessments targeting IT ecosystems that do not have internal usage restrictions. The focus areas of this scan include applications, ports, websites, services, networks, and systems that can be accessed from outside by users or customers.
• Internal Vulnerablity Scans are scans carried out with the main target being the internal network of the company/organization. This scan is carried out with the aim of detecting vulnerabilities in the network and to avoid damage to network infrastructure. This scan allows companies/organizations to protect and strengthen application security systems from within.

Security Scanning

Security Testing is a scan performed to find vulnerabilities and identify unwanted file modifications in web-based applications, websites, networks, and file systems. The scan performed will provide deep insight and provide a recommended solution to fix the problems found.

Security Scanning can be done with a one-time check. However, software development companies prefer security scanning on a regular and ongoing basis to ensure that the system developed actually has a good level of security.

Penetration Testing

Penetration testing is testing that is done by simulating a cyber attack on the system being tested. This test is conducted by a professional pentester who has a pentest testing certificate and uses various pentest tools and techniques. Penetration Testing must be carried out regularly to prevent the penetration of security systems caused by security gaps or vulnerabilities in the system.

This testing process is carried out as when the company/organization hires someone to penetrate the security system that has been applied to the application or website of the company/organization. If the person manages to enter and pass through the existing security system, then there is a security gap or vulnerability in the system. With this information, companies/organizations can continue to improve the quality of their security systems on software, websites, and other applications that are being developed.

Risk Assessment

Risk assessment is done by classifying or categorizing the risks that will be faced by applications, software, and networks. Through risk analysis and identification, the company/organization will know which risks can threaten system security. These security risks will be classified into several groups according to the level of threat that needs to be prioritized such as high, medium, and low priority groups. This assessment can help companies/organizations in assessing the level of suitability of the security controls implemented with the security risks that have been previously determined.

Risk Assessment is generally carried out by the company/organization's internal IT Audit team. The team must really understand digital infrastructure and networks so that identification and analysis of security risks can be done optimally.

Security Auditing

Security Auditing is a structured method used to assess and evaluate the security measures that have been implemented in a company/organization. By conducting regular audits, companies/organizations can find out where the weak points and vulnerabilities are in the IT infrastructure, verify the level of conformity of security controls with applicable standards and regulations, ensure compliance with established security regulations and requirements, and much more.

Although at first glance it looks the same as risk assessment, the two types of security testing are still different. An audit is a more formalized testing process than a risk assessment. It must also be conducted by an independent third party who is certified in a particular field of auditing (in this case information security).

Ethical Hacking

Although this testing is very close to penetration testing, ethical hacking has a broader scope.

Ethical hacking is security testing done using all available hacking techniques and methods as well as other computer attack techniques. This testing process is carried out by an ethical hacker who has permission to explore company/organization wide IT. The testing carried out aims to test how well and how resistant the applied security level is to system disruptions carried out with various vectors, types, and attack techniques.

Ethical Hacker testing supports companies/organizations in identifying vulnerabilities and security weaknesses in IT Infrastructure at large.

Posture Assessment

Posture assessment is carried out to improve risk management capabilities in companies/organizations. This assessment is a very important step in knowing the security conditions in the company/organization and the company/organization is able to identify security threats that may occur.

Security Testing Attributes

In order for information security to be applied thoroughly, the company/organization must apply the attributes that are in the application of security testing which will be explained as follows.

Authentication

In this attribute, the user's digital identity is checked. The system will provide access to the right person or people who can provide authentication such as the right password or answer to a secret question.

Security testing needs to be done if the company/organization wants to stay protected from all security threats and attacks. Identifying security vulnerabilities should be done early rather than when the system is already damaged or hacked by irresponsible parties.

Security testing also helps companies/organizations save costs due to the repair process, fines, and repairing the company's reputation at great expense due to the impact of security attacks on the system used.

Authorization

This attribute will appear only when the Authentication attribute is passed. Authorization and Authentication have very little difference. The difference between the two attributes is that Authentication grants access to the right user, while Authorization grants special rights/powers to users, and every user can be authenticated, but not every user is granted an authorization.

Authorization acts as a user access control that permits or restricts their privileges. These privileges are determined based on predefined user roles.

Confidentiality

This attribute is responsible for ensuring that users who do not have access/authorization cannot access systems and resources that can only be accessed by privileged users. It aims to check the protection of information at every stage of processing, storage, display so that users who do not have access will only receive encrypted information.

Availability

This attribute ensures that the system is always active when users want to access information anywhere and anytime. Not only information but the availability of resources and services must also be available when users need them.

With this attribute, companies/organizations will always be aware of hardware failures that can affect security and can always improve the availability of systems implemented in their business processes.

Integrity

In this attribute, users will be checked/verified according to their user groups, privileges, and restrictions to check the data integrity of their information. If system security finds different information during transit or intentionally, the departments involved in information security will take immediate action.

Non-repudiation

This attribute is responsible for tracking the party whose access was denied. The tracking aims to find out that the denied request does not threaten the information security of the company/organization.

Resistance

Before completing the previously described attributes, the system must be checked for its level of resistance to internal and external attacks.

This attribute is completed by applying One Time Password (OTP), RSA encryption key token, two-layer authentication, or applying two-layer encryption to the system.

Reference:

https://www.logique.co.id/blog/2021/03/02/security-testing/

https://frontend.turing.edu/lessons/module-4/client-side-security.html

https://testinggenez.com/security-testing-fundamentals/

Want to know more information, please visit our website at:

https://agus-hermanto.com/

Don't forget to follow our other social media

Instagram  : hdnmetatech

linkedin     : https://www.linkedin.com/company/herdina-metatech-sinergi-corp

Facebook : Herdina Metatech Sinergi Corp