Application Security Testing

Static and Dynamic Testing

Application security testing is a vital to identify and mitigate vulnerabilities and weaknesses in software applications and helps ensure that applications are robust and secure against potential attacks

Our experienced security team follow the following process for application security testing:

Scoping and Planning - establish a clear understanding of the application's architecture, functionality, and potential security risks. This may include reviewing design documentation, source code, security requirements and regulatory guidelines. Once scoping is completed, a skeleton test plan is produced, to confirm the scope and approach.

Static Application Security Testing (SAST) is usually the first step, where a code scan is within scope. This activity utilises tools, to scan for code errors, insecure coding practices and potential security flaws. There is a lot of emphasis on field validation and detailed analysis of all possible routes through the code, which mean tools are the best option.

Dynamic Application Security Testing (DAST) would then be performed, using dynamic analysis techniques to analyse the application’s behaviour while it is running. This includes simulating attacks, injecting test data with fuzzing while monitoring the application to identify vulnerabilities including cross-site scripting (XSS), SQL injection and insecure configuration.

Following these two tools based activities, manual security testing is usually carried out, which is exploratory in nature and includes a focus on edge cases and using expert knowledge to identify security weaknesses that tools may miss.

Once testing is complete, our team will compile and walk through a comprehensive test report to summarise findings and recommendations. Re-testing can be carried out if needed once fixes have been applied.

 

One of the core tools we use for our SAST / DAST approach is OpenText Fortify.