What Is Automated Security Testing?

Automated Security Testing Overview

In order to look at what automated security testing is, it makes sense to first look at what security testing is. And we can divide security testing into three different parts.

Testing

When talking about security testing, most people test-driven security. Test-driven security is a bit comparable to test-driven development. First, you define the security requirements, so you come up with requirements with what your application should comply with. After defining the requirements, you start with writing a test per requirement. And when you have written a test and tried the test, you'll probably see that the first test initially fails, of course, only when it isn't implemented yet. Otherwise, it will pass. So, when it fails, you implement the control or the mitigation, and then you verify that the test passes. And this process continues until all tests are written for each of the security requirements that you have defined before. So this is the model of test-driven security.

Happy path testing

Test Paths

➕ Positive testing

▪ Positive testing is also known as happy path testing. You're testing whether a given input yields a given result. So the input is known, as well as the result. An example would be entering a valid username and password and verifying whether the user can log on.

➖ Negative testing

▪ Negative testing is known as a sad path or a bad path. That's when something happens that you didn't expect. Either you get an error message back in the bad path, or you don't get any error message at all, a sad path. This is also known as failure testing.

▪ Negative Testing is Difficult

🔻 How do we know what it’s not supposed to do?

🔻 Instead of a set of inputs there are unlimited different inputs

🔻 Output doesn’t always show the error (sad path)

Methods of Testing

Static testing

▪ Nothing is executed

▪ Static source code review

▪ Configuration review

Dynamic testing

▪ Running code or application

▪ Dynamic application security testing

▪ Network vulnerability scanning

Types of Security Testing

Static application security testing

Dynamic application security testing

Vulnerability scanning

PreviousUnderstanding Automated Security TestingNextTypes of Security Testing

Last updated