11 Security testing

 

This chapter covers

  • The similarities in skill sets for those working in testing or security-focused fields
  • Detecting security threats using modeling
  • How to apply a security mindset to a range of testing activities

For some, the idea of security testing can conjure up images of individuals carrying out highly technical and complex attacks that discover unimaginable exploits in our systems. Although having knowledge of how systems work, how they can be exploited, and how to use tools to discover threats is a key ingredient to successful security testing, incorrect assumptions about security testing promote the idea that it is an exclusive club open only to those with superhuman technical skills. However, security testing isn’t just about “hacking systems”; it requires intentional planning and analysis to detect threats and prioritize them. All of this involves a wide range of activities, skills, and techniques, some of which we’ve already learned in previous chapters.

11.1 Working with threat models

11.1.1 Creating a model

11.1.2 Discovering threats with STRIDE

11.1.3 Creating threat trees

11.1.4 Mitigating threats

11.2 Applying a security mindset to our testing

11.2.1 Security testing in testing API design sessions

11.2.2 Exploratory security testing

11.2.3 Automation and security testing

11.3 Security testing as part of a strategy

Summary