|
Systems testing is a vitally important part of any software development project. How else can you confirm that the delivered system actually meets its specifications? We have worked with many development teams, both testing application systems (primarily distributed, network, client-server and web-based systems) and managing security testing activities professionally.
Testing compliance with a documented security design and corporate information security policies is relatively straightforward, of course, but in practice we usually test newly developed IT systems against undefined (and often incompletely understood) security/control requirements.
The process we adopt depends on the resources available and the general state of the project. Quick, unstructured, guerrilla-style technical testing (such as brute-force attacks on user authentication systems and SQL injection attacks on online systems) often demonstrates severe security weaknesses on a badly-designed system. Strong systems built by professional development teams using formal development methods may require more elaborate technical testing to find security bugs but we have demonstrated security vulnerabilities on every single system we have tested to date including gross errors such as a ‘secret key sequence’ that broke an access control system wide open. As independent testers with extensive knowledge of security/control concepts, we are not constrained by the design-and-development team's own thought processes or mind-space. Generally speaking, hackers, fraudsters and social engineers aren’t so constrained either.
Procedural review is an important tool in our testing toolbox that has often been overlooked by clients. Technical security controls are unlikely to work properly without the corresponding operational and management processes: we therefore check the procedure manuals, process flows, help screens, training guides etc. for information relating to the quality of the embedded technical controls. Again, for a badly-designed system, this testing may be over in a flash as the user documentation is unlikely even to be complete, let alone cover information security controls in sufficient detail. Better systems tend to have better documentation, as a rule, although security/control is not often recognised as a driver. In most cases, we can point out the need for more specific instructions to users and managers, and may even help prepare additional materials such as control manuals, security admin procedures and training courses.
Call us for more information on our security testing services.
|
