By E.G. Nadhan
Application Testing begins with the verification and validation of the functional and non-functional requirements including application performance. Over the years, there has been significant focus on functional quality and application performance testing. But testing for the application security has traditionally been an afterthought. Just so we’re on the same page, here are my definitions of these 3 forms of testing:
- Functional Testing ensures that the application works when users use the application for its intended purpose.
- Performance Testing ensures that the application continues to work when many users use it.
- Security Testing ensures that the application continues to be available and functional even if it is subject to attempts to compromise its security.
The world has changed from multiple perspectives. It behooves us to consider Security Testing as important as Functional Quality testing and Performance testing. Here’s 5 reasons why:
- Human Nature. The basic tenets of human behavior have not changed. The intent to derive pleasure by causing harm to fellow humans continues to rear its ugly head occasionally in several forms: 1) Obtaining a competitor's intellectual property; 2) Obtaining access to the personal information about an acquaintance; or 3) Disgruntled employees subjecting employers to negative publicity. Such behavior by itself is not new. However, the technologies that support the successful, flawless execution of such intent have evolved and can now be engineered to facilitate such actions. Therefore, applications must be tested today to address several what-if scenarios to ensure corrective measures are in place if and when such actions occur.
2. Compliance. There are compliance laws that require applications to be secure and businesses are liable for significant damages in some cases. The time and effort spent in ensuring that the application is compliant with the applicable regulations is minimal compared to the potential financial loss from a security compromise that could possibly have been avoided.
3. Silent Killer. Some of these mechanisms subtly infiltrate into the application environment. There is no visible change in the application functionality, but the damage could slowly and steadily grow and spread across the application and/or data domains in context. It is akin to a silent killer that slowly builds up, resulting in a fatal disruption of service. Therefore, it is important that the application be tested for vulnerable areas that could foster this behavior.
4. Information access. With social networking, the world has opened up, and we tend to share more information about ourselves via the public Internet more than we ever did before. There is access to a lot more information, which makes it even easier to engineer intrusions and misuse the available information for personal gains.
5. Technological advances. Emerging technologies continue to improve our overall user experience. But, they are also key enablers for the community of hackers who apply them innovatively to institute new and improved mechanisms for infiltration. Security Testing needs to constantly keep pace with the times. A Security Test Plan that was written one year ago for the same application may be rendered obsolete because of the advent of new technologies that introduce new patterns of security violations not seen before.
Do you currently perform all three forms of testing: functional, performance and security? Which one do you think is most important and why?