Code auditing (functional testing) is an excellent product for testing the most common issues facing mobile applications, but you have to consider black box testing as well so that the hidden problems in your applications will come to light.
The problem of insecure software is a significant technical and professional challenge nowadays. The ongoing rise of the web and mobile applications enabling business, social networking etc. has only compounded the requirements to establish a more stable approach to secure corporate and private data.
It goes without saying that you can’t build a secure application without performing security testing on it. Testing is part of a broader approach to building a secure system. Many software development organizations do not include security testing as part of their standard software development process. What is even worse is that many security vendors deliver testing with varying degrees of quality and rigor.
Recently, there has been a lot of new security-related regulations (GDPR, Datenschutz, etc.) that make security testing mandatory. This time-consuming process only happens before deployment, which makes developers’ life much harder. In theory, these black box testing approaches are super impressive, but the additional workload they create is super heavy.
There has to be a better solution. How about automated testing tools?
Several companies are selling automated security analysis and testing tools. Remember:
“Tools do not make software secure! They help scale the process and help enforce policy.” – Michael Howard, 2006
These tools can also be seductive since they do find lots of potential issues. While running the tools doesn’t take much time, each one of the potential problems takes time to investigate and verify. If the goal is to find and eliminate the most severe flaws as quickly as possible, consider whether your time is best spent with automated tools or with the techniques described in this guide.
These tools would make sense as parts of a well-balanced DevOps process. Used wisely, they can support your overall operations to produce more secure code and provide more than generic results – especially if combined with code auditing.
Approaches of black box security testing
Regarding the black box testing you have to go deep into such procedures like Boundary Value Analysis (it will help you to find the error in the boundaries of input values rather than the center), Equivalence Class Partitioning (which technique will reduce the number of possible inputs to small yet effective inputs), Decision Table Based Testing (most rigorous one approach), Cause-Effect Graphing Technique (this technique considers a system’s desired external behavior only) or Error Guessing (if you are already an experienced tester).
Whatever black box security testing technique you will use, you will become more and more practiced and you will see the pros and cons of that particular system.
Security testing has no sacred Grail, no tool to solve all your problems uniformly. It is wisest to find the methods, knowledge and tools that will move you forward.
If you’re building, designing or testing software, I strongly encourage you to get familiar with the best practices in security testing. Code auditing is an excellent product for testing the most common issues facing mobile applications, but it is not exhaustive. Consider black box testing as well so that the hidden problems in your applications will come to light.
We at App-Ray would like to thank you to all of our existing and future users to help us to make mobile applications more secure.