Security testing is the practice of evaluating software to identify vulnerabilities, threats, and risks that could lead to unauthorized access, data breaches, or system compromise. As a tester, understanding security fundamentals is your first line of defense.
Why Security Testing Matters
Every application handles some form of sensitive data. Whether it is user credentials, payment information, or personal details, a single vulnerability can expose thousands of users. Security breaches cost companies an average of $4.45 million per incident.
Consider the impact:
| Impact Area | Consequence |
|---|---|
| Financial | Fines, lawsuits, remediation costs |
| Reputation | Loss of customer trust |
| Operational | Downtime, incident response overhead |
| Legal | Regulatory violations (GDPR, HIPAA) |
The CIA Triad
The foundation of all security work rests on three principles:
- Confidentiality -- Only authorized users can access sensitive data
- Integrity -- Data cannot be modified without detection
- Availability -- Systems remain accessible when needed
Every vulnerability you find will violate at least one of these principles.
Types of Security Testing
There are several approaches to security testing, each with a different scope and depth:
1. Vulnerability Assessment
A broad scan to identify known vulnerabilities in an application or infrastructure.
# Example: Running a basic Nmap scan to discover open ports
nmap -sV -sC -oN scan-results.txt target-app.com
# Output shows open ports and services
# PORT STATE SERVICE VERSION
# 80/tcp open http nginx 1.25.3
# 443/tcp open ssl/http nginx 1.25.3
# 3306/tcp open mysql MySQL 8.0.35A database port (3306) open to the internet is a critical finding.
2. Penetration Testing
Simulating real attacks against the system to exploit vulnerabilities.
3. Security Auditing
Reviewing code, configurations, and policies against established standards.
4. Risk Assessment
Evaluating the likelihood and impact of identified threats.
Threat Modeling with STRIDE
Threat modeling helps you think like an attacker. The STRIDE framework categorizes threats:
| Threat | Description | CIA Violation |
|---|---|---|
| Spoofing | Pretending to be someone else | Confidentiality |
| Tampering | Modifying data without authorization | Integrity |
| Repudiation | Denying an action was performed | Integrity |
| Information Disclosure | Exposing data to unauthorized users | Confidentiality |
| Denial of Service | Making a system unavailable | Availability |
| Elevation of Privilege | Gaining unauthorized access levels | Confidentiality |
Building a Threat Model
Here is a practical approach to threat modeling a web application:
1. Identify Assets
- User credentials (passwords, tokens)
- Payment data (credit cards, billing)
- Personal information (names, emails, addresses)
2. Identify Entry Points
- Login forms
- API endpoints
- File upload fields
- URL parameters
3. Identify Threats (per entry point)
- Login form -> Brute force, credential stuffing
- API endpoint -> Injection, broken auth
- File upload -> Malicious file execution
- URL params -> XSS, SQL injection
4. Rate Each Threat (DREAD scoring)
- Damage potential (0-10)
- Reproducibility (0-10)
- Exploitability (0-10)
- Affected users (0-10)
- Discoverability (0-10)The Security Testing Lifecycle
Security testing is not a one-time activity. It follows a continuous cycle:
┌─────────────┐
│ Planning │ ──> Define scope, rules of engagement
└──────┬──────┘
▼
┌─────────────┐
│ Reconnaissance │ ──> Gather information about the target
└──────┬──────┘
▼
┌─────────────┐
│ Scanning │ ──> Identify vulnerabilities
└──────┬──────┘
▼
┌─────────────┐
│ Exploitation│ ──> Attempt to exploit findings
└──────┬──────┘
▼
┌─────────────┐
│ Reporting │ ──> Document findings with severity
└──────┬──────┘
▼
┌─────────────┐
│ Remediation │ ──> Fix and verify
└─────────────┘Setting Up Your Security Testing Environment
You need a safe environment to practice. Never test against production systems without authorization.
# Install OWASP ZAP (Zed Attack Proxy)
# macOS
brew install --cask owasp-zap
# Linux (Debian/Ubuntu)
sudo apt install zaproxy
# Pull a vulnerable practice app
docker pull bkimminich/juice-shop
docker run -d -p 3000:3000 bkimminich/juice-shop
# The Juice Shop is now running at http://localhost:3000
# This is an intentionally vulnerable app for learningWriting a Security Test Plan
Every security engagement starts with a test plan:
## Security Test Plan: [Application Name]
### Scope
- In scope: Web application at app.example.com
- Out of scope: Third-party integrations, infrastructure
### Objectives
- Identify OWASP Top 10 vulnerabilities
- Test authentication and authorization mechanisms
- Verify input validation and output encoding
### Tools
- OWASP ZAP (automated scanning)
- Burp Suite (manual testing)
- Nmap (network scanning)
### Timeline
- Reconnaissance: Day 1
- Automated scanning: Day 2
- Manual testing: Days 3-4
- Reporting: Day 5
### Rules of Engagement
- No denial of service attacks
- No social engineering
- Testing hours: 9 AM - 5 PM
- Emergency contact: security@example.comKey Takeaways
- Security testing identifies vulnerabilities before attackers do
- The CIA triad (Confidentiality, Integrity, Availability) guides all security work
- STRIDE helps you systematically model threats
- Always test in controlled environments with proper authorization
- Security testing is a continuous process, not a one-time event
In the next lesson, you will dive deep into the OWASP Top 10, the most critical security risks facing web applications today.