Security Testing: a QE perspective

Making sure that your application is secure is increasingly becoming important and often, Software Quality Engineers are asked to perform security testing of the application because of the word ‘testing’ in it. Is it really the same as testing the application? Well, the same ask landed in my plate too and I thought to dig deeper into it to see how can Quality Engineers actually contribute to this space and is it even worth the effort. In this post, I will share a few key findings and my opinion.

The WHY and WHAT of security testing?

• The purpose is to identify ‘as much as possible’ vulnerabilities and threats in any given application so as to prevent any malicious attacks from intruders which might lead to data loss or revenue loss.

Can the Quality Engineering team do some bit of security testing?

• Security Testing has a deep learning curve and is vast in scope, there is no one rule that fits all for all applications. Each application needs to be understood well in order to identify if it needs security testing or not.
• Yes, QE teams can help. Based on my understanding, I think the least that the QE teams can contribute to is through some automated security test scans. Now, can you scan the production environments or it has to be pre-production environments? I think either should be okay given that you have the permission to do so or you need to inform the relevant security teams at your company that you will be performing some scans because they might have some monitoring in place to track malicious activity.
• Also, the general rule of testing applies here too: The earlier a vulnerability is identified, the better it is.

How to get started?

• Understanding the Top 10 Web Application Security Risks is a good way to get started. This will give you an overview on what vulnerabilities to look for in your application and take an informed decision if a particular vulnerability can even exist in your application or not. Let’s say: if your application does not have a SQL database, then checking for the existence of a SQL injection vulnerability would not be worth the effort.
• After looking at a couple of tools, OWASP Zed Attack Proxy (ZAP) tool seems to be a promising open source tool in order to get started with automated security test scans. It’s a widely used web application scanner. This is where you can get started with it’s documentation and download.

OWASP ZAP Desktop

• Along with the desktop app, you can also make yourself familiar with ZAP Docker. You can explore the Baseline, Full and API scan with the docker image based on the requirement of the application.
• Once you are able to get the ZAP app setup and run the scans against an endpoint, there will be a couple of alerts raised which can be overwhelming at the sight of it since you would not understand what they mean or refer to. In that case, I suggest going through the list of alerts and understanding what they mean.

A few things that stood out while exploring OWASP ZAP Desktop hands-on and I ‘d like to record here:

• Scan Policy Manager: When you run the scan, there is a way for you to add or remove scan policies. In the menu bar, go to Analyse > Scan Policy Manager, you will see “Default Policy” there, you can Add or Modify any policy there.

Scan Policy Manager

• Options and Settings: There are a lot of options for you to configure in ZAP Proxy tool, one of the common issues could be adding proxy when all your applications are behind a proxy and you want to access them. Go to settings icon OR Tools > Options and type in the search box: “proxy”, you will be able to look for options where you can make the required proxy changes.

Adding Proxy in ZAP Proxy

• Import OpenAPI Definition: If your application has an Open API spec, then you can specify the Open API spec and run the relevant scan. Go to Import > Import OpenAPI Definition from a URL, and fill in the relevant details for your application.

Importing Open API spec definition

• Generating Reports: After you have successfully performed the scans, you might want to generate different reports to share with your team. To generate a report, go to Report > Generate Report > Update report name, title and directory; You can also select a Report template based on the details you would want to include in your report.

Generating reports in ZAP Proxy

Github source code: https://github.com/zaproxy/zaproxy

How can I use ZAP docker?

You should be able to follow along the documentation and run ZAP Docker. If you have a mac M1, then you might want to build a new image for the arm64 architecture and then use it.

You can also explore RapiDAST which has OWASP ZAP Proxy as its core engine and uses the ZAP container itself. It is under active development currently and provides a framework for dynamic scanning against web apps/API.

Thanks for reading through, any comments or feedback appreciated. Also, if you have worked on something similar feel free to share your learning curve in the comments below.