Blog

Security testing – choose what you really need. Part II

There are two types of security testing: Penetration testing and Vulnerability Assessment. Each having goals and objectives. The goal of penetration testing is enter a web-application internal infrastructure, cease control over the internal servers or access the important information.
7 August 2014
Cybersecurity testing
The article by a1qa
a1qa

Previously we discussed which type of security testing you need to define how well your system is protected.

Types of security testing

There are two types of security testing: Penetration testing and Vulnerability Assessment. Each having goals and objectives. The goal of penetration testing is enter a web-application internal infrastructure, cease control over the internal servers or access the important information.

Vulnerability assessment includes more comprehensive system check. Its main goal is to identify system drawbacks and vulnerabilities that can lead to getting unauthorized access or possible users discrediting. All the detected defects get qualified according to the level of risk and influence upon the general system security state. Usually specialists do not exploit the detected vulnerabilities; still it can be done if the parties have agreed.

Above this all, vulnerability assessment takes much time and is often held to comply with standard requirements.

Let`s have a look at a case that shows difference between penetration testing and vulnerability assessment.

Imagine that we`ve detected a bug: absence of HttpOnly security flag in cookie file with identifier of user session. Flag Absence allows stealing user cookie applying cross-site scripting method. In the context of vulnerability assessment this is definitely a defect and it should be described in the final report. Still, for penetration testing this case will considered a defect, if it allowed a tester to access the authorized user account, otherwise the defect won`t be described in the report.

Next criterion for choosing type of security testing is system data provided to analysts. The provided data defines which testing method will be chosen. There can be three of them:

  • Black box testing – tester receives none system information except the list of IP-addresses or the website link;
  • Grey box testing – testers receive valid accounts and limited system information;
  • White box testing – testers get full information about the system: accounts, network maps, technological specifications, web-applications source code.

As you can see the “whiter” your “box”, the more detailed information about system security you get in the end of the testing process, and the more important information third party gets, hence the more expensive and time-consuming the testing process is.

The last criterion is system entry point. This criterion is valid only for performing penetration testing on local network level. In case like this there are two options:

  • External penetration test – only external company IP-addresses accessible from the internet are tested;
  • Internal penetration test – test is performed inside the corporate network. Testers work inside your team in company office or work via VPN access.

Usually, internal penetration test is performed to comply with requirements of domain standards; or to check security level against inside attacks, i.e. those executed by company staff.

So in a nutshell, we went through all the criteria of choosing security testing method. Combining them you can correctly define your requirements to a testing company. For example, if you need a thorough check of your system, choose a combination of vulnerability assessment and white box penetration testing. If the budget is limited – choose black box penetration testing.

I think this kind of arguments sound much better than “We need security testing”. Use this article to carefully define your needs to testers, don`t waste time on useless talking.

More Posts

On the pulse of 2024: optimizing the adoption of eHealth trends with QA
15 February 2024,
by a1qa
4 min read
On the pulse of 2024: optimizing the adoption of eHealth trends with QA
Generative AI, cybersecurity, AR/VR — come and explore how these trends are reshaping the future of healthcare and how QA helps implement them with confidence.
Cybersecurity testing
Functional testing
Performance testing
QA trends
Navigating the future: QA trends that will define 2024. Part 2
30 January 2024,
by a1qa
4 min read
Navigating the future: QA trends that will define 2024. Part 2
We continue exploring QA trends, helping businesses remain competitive in 2024.
Cloud-based testing
Cybersecurity testing
QA trends
Quality assurance
The year in valuable conversations: recapping 2023 a1qa’s roundtables for IT executives 
8 December 2023,
by a1qa
3 min read
The year in valuable conversations: recapping 2023 a1qa’s roundtables for IT executives 
From dissecting novel industry trends to navigating effective ways of enhancing software quality — let’s recall all a1qa’s roundtables. Join us!
Big data testing
Cybersecurity testing
Functional testing
General
Interviews
Performance testing
QA trends
Quality assurance
Test automation
Usability testing
Web app testing
black-friday
22 November 2023,
by a1qa
4 min read
Get ready for Black-Friday-to-Cyber-Monday shopping: 5 testing types to include in your QA strategy
What’s your nightmare during Black Friday and Cyber Monday shopping? If it’s a loss of sales, read about the ways to prevent this in the article.
Cybersecurity testing
Functional testing
Localization testing
Performance testing
Usability testing
6 top reasons why business should invest in software quality
9 November 2023,
by a1qa
4 min read
6 top reasons why business should invest in software quality
We congratulate you on the World Quality Day with the article by Alina Karachun, Account director at a1qa, having 10+ years of QA expertise. Delve into it to explore the reasons why businesses should prioritize software quality.
Cybersecurity testing
Functional testing
General
Interviews
Performance testing
Quality assurance
streaming services
30 October 2023,
by a1qa
3 min read
Enable crash-proof streaming platforms for Holidays season
Ho ho ho! It’s time to prepare your streaming products for the influx of viewers. Read about how to put peak-load anxiety behind by applying rigorous testing of your IT solution.
Cybersecurity testing
Functional testing
Performance testing
Usability testing
On the way to Web 3.0: key software testing aspects for seamless digital experiences. Part 2
12 October 2023,
by a1qa
4 min read
On the way to Web 3.0: key software testing aspects for seamless digital experiences. Part 2
Let’s analyze essential software testing checks to improve the quality of the business-critical Web 3.0 functionality.
Cybersecurity testing
Functional testing
Performance testing
Quality assurance
Test automation
Usability testing
gaming-qa
24 August 2023,
by a1qa
4 min read
Ready, steady, test: How QA drives seamless gaming experiences
Why is QA pivotal for delivering unmatched player experiences? How to level up video game quality? Find the answers in the article.
Cybersecurity testing
Functional testing
Localization testing
Performance testing
Quality assurance
Test automation
Usability testing
12jun202311
22 June 2023,
by a1qa
4 min read
The ins and outs of ensuring OSS/BSS software quality: a hands-on guide
The need for OSS/BSS’ flawless operation is undisputable, but how can we reach that goal? Inter alia, a1qa suggests focusing on delivering high software quality to the end users.
Cybersecurity testing
Functional testing
General
Performance testing

Get in touch

Please fill in the required field.
Email address seems invalid.
Please fill in the required field.
We use cookies on our website to improve its functionality and to enhance your user experience. We also use cookies for analytics. If you continue to browse this website, we will assume you agree that we can place cookies on your device. For more details, please read our Privacy and Cookies Policy.