<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=1110556&amp;fmt=gif">
Skip to content
    September 8, 2021

    Security Testing in an Agile Development World

    Security testing is a key component of software quality. A program may meet functionality and performance requirements, but that does not guarantee security. In this blog post I will present different security testing methods and provide a few tips for conducting a more secure code review. But first, let’s understand what software security is intended for.

    The Goal of Software Security

    Software security is intended to help the CIA. No, not the CIA you’re thinking of, but rather, CIA as in “confidentiality, integrity, and availability.” Here’s how NIST defines these terms:

    • Confidentiality. The process of preserving authorized restrictions on access and disclosure, including a means for protecting personal privacy and proprietary information.
    • Integrity. The act of guarding against improper information modification or destruction, which includes ensuring information nonrepudiation, accuracy, and authenticity.
    • Availability. The ability to ensure timely and reliable access to, and use of, information.

    The Impact of Inadequate Software Security

    Some of the consequences of a lack of security include:

    • Damage to the organization’s brand name
    • Loss of customer trust
    • Negative impact on sales
    • Expensive vulnerability remediation cost
    • Production impact
    • The cost of downtime and expenditures required to recover from a website crash, such as reinstating services, restoring backups, and so on
    • Fines, fees, and legal repercussions

    How to Achieve Software Security in the Software Development Lifecycle

    A very effective way to achieve secure software is to implement secure development, deployment, and maintenance principles and practices in the development lifecycle. In the testing process, this means making sure that systems are protected and can function as needed. 

    Security Testing Approaches and  Techniques

    Let’s look at three security testing types that cover the software development lifecycle from end to end.

    1. Threat Modeling

    A threat is a potential source that can exploit system vulnerability. Threat modeling is a constant iterative process of identifying and prioritizing these probable threats and documenting the actions that need to be taken in each case. As a result, threat modeling helps teams identify and investigate potential threats and vulnerabilities, and find architecture risks earlier in the development lifecycle. Threat modeling allows testing teams to be involved in the whole application development process so they can identify critical bugs and make better security decisions.

    The Threat Modeling Process

    Let’s see how the threat modeling process works:

    • Planning. Defining your application, data flow, and assets involved.
    • Identification. Classifying or identifying which type of threats the application is exposed to, such as data manipulation or SQL injection.
    • Mitigation. Identifying tools and technologies to protect software from the identified risks.
    • Remediation. Validating software against the tool and capturing risks. Risk identification must be a continuous process. Tools need to be run on every iteration of a certified development build.

    Some examples of threat modeling tools include:

    • OWASP Threat Dragon
    • Microsoft Threat Modeling Tool
    • Cairis

    2. Penetration Testing

    A penetration test, also known as a pen test, is a simulated cyber-attack against your software system to check for exploitable vulnerabilities. Penetration testing targets the security weaknesses that enable attackers to gain access to the data. As a result, penetration testing helps in assessing the overall security posture and identifying vulnerabilities before the attackers do.

    The Pen Test Process

    Here’s how the penetration testing process works:

    • Define the scope. Determining the testing methods and the level of exploitation required when trying to find vulnerabilities.
    • Exploration/access vulnerabilities. Discovering all possible vulnerabilities and intrusions.
    • Penetration testing. Testing all possible exploitations in order to discover new vulnerabilities. In this stage, the web application is attacked to uncover vulnerabilities and check if a bad actor is able to access the application and gain in depth access.
    • Risk analysis and mitigation. All the vulnerabilities found during the test should be listed and recommendations should be provided for filling security gaps. Information on which sensitive data was accessed and the duration of attack should also be provided to patch solutions in order to prevent these attacks in later phases.
    • Pen test report. A detailed report of the list of issues along with severities should be shared with the team so that severity 1 issues can be prioritized and fixed.

    Types of penetration testing:

    • Network service tests. Evaluating the network system and the services provided for probable security issues. Issues could be on servers, routers, switches, DNS, IPs, and so on.
    • Web application tests. Testing all functionalities and interfaces with all sets of data in web applications.
    • Client-side tests. Various actions performed in client-side application programs like email clients, web browsers etc. to exploit vulnerabilities.
    • Wireless network tests. Exploration and identification of wireless networks, vulnerability examination, exploitation, test report, and remediation. 
    • Social engineering tests. Emphasizes people and processes and the vulnerabilities associated with them. This type of test consists of an ethical hacker directing attacks such as phishing, or impersonating a person during the course of their work.

    Some examples of penetration testing tools include:

    • Nmap
    • Nessus
    • Wireshark

      

    3. Code Reviews

    Code reviews can improve software security by removing common vulnerabilities, such as memory leaks, format string exploits, and buffer overflows. As a result, code reviews help developers find and fix software vulnerabilities in the development cycle itself. This makes the mitigation process less expensive than correcting code after deployment to production.

    Application security code review focuses on high-risk parts of code. Vital actions in this process include leveraging threat/vulnerability assessment to identify which part of the code should be manually reviewed and where static application security testing (SAST) tools need to analyze source code to identify probable security flaws in the application.

    Code reviews can be either automated or manual, and should address issues like security risks from open-source tools, business logic, and QA test layering.

    Following are some best practices for doing security code reviews:

    • Sensitive data that is used in the codebase should always be encrypted.
    • Ensure unit tests have a combination of input data validation so that attacks like injection, and cross-site scripting can be prevented.
    • Ensure there are no memory flaws in the code and safe memory practices are followed. This helps avoid SQL injection and OS command injection.
    • Avoid any indirect object reference with files or path traversal method.
    • Collaborate and share your knowledge with the team about bugs and security issues identified in earlier stages so they can be addressed and avoided.

    Some examples of code review tools include:

    • GitHub
    • Veracode
    • Review Board

     

    Conclusion

    By incorporating security testing practices into your software development lifecycle, you can help minimize the attack surface. For more information, reach out to your CISO, or IT and security team.

    Tag(s): DevOps

    Pratima Mishra

    Pratima Mishra is a software test professional with more than 10 years of rich and comprehensive experience in test automation in Selenium Web driver with BDD Framework on Cucumber using Java, software testing, quality assurance, and Agile methodologies. Pratima is passionate about designing and implementing...

    Other Resources You might be interested In

    icon
    Blog August 22, 2025

    Handling Incomplete User Stories at the End of an Iteration

    When a team reaches the end of an iteration, some user stories may not be completed. This post details causes and options for managing these scenarios.

    icon
    Blog August 20, 2025

    What’s Hiding in Your Wiring Closets?

    See why you must move from periodic audits to a state of perpetual awareness. Track every change, validate it against policy, and understand its impact.

    icon
    Blog August 15, 2025

    All Network Monitoring Tools Are Created Equal, Right?

    See how observability platforms provide a unified view across multi-vendor environments and correlate network configuration changes with performance issues.

    icon
    Blog August 15, 2025

    Scale Observability, Streamline Operations with AppNeta Monitoring Policies

    This post reveals how, with AppNeta’s monitoring policies, you can leverage a powerful framework for scalable, flexible, and accurate network observability.

    icon
    Course August 14, 2025

    AppNeta: Current Network Violation Map Dashboard

    Learn how to configure and use the Current Network Violation Map dashboard in AppNeta to identify geographic regions impacted by WAN performance issues.

    icon
    Course August 14, 2025

    AppNeta On-Prem: Minimize Unplanned Downtime

    Learn how to configure the AppNeta On-Prem environment following best practices for high availability and disaster recovery to maintain service continuity and minimize unplanned downtime.

    icon
    Office Hours August 12, 2025

    Rally Office Hours: August 7, 2025

    Get tips on how to use the Capacity Planning feature in Rally, then follow the weekly Q&A session with Rally product experts.

    icon
    Blog August 11, 2025

    dSeries Version 25.0 Boosts Insights, Security, and Operational Efficiency

    Discover how ESP dSeries Workload Automation 25.0 represents a significant leap forward, making workload automation more secure, visible, and efficient.

    icon
    Blog August 7, 2025

    What Your SD-WAN Isn't Telling You

    SD-WAN's limited view blinds it to underlay issues. Augment SD-WAN with end-to-end visibility to validate decisions and diagnose root causes for network resilience.