Application security is an important aspect of network protection that is often overlooked.
Most people have the basic security measures in place (antivirus, strong passwords, etc.), but many neglect to vet the applications that they use on their workstations, personal computers, and mobile devices. Similarly, many applications have a solid functional framework but lack a testing approach to identify problems that could leave a security gap in an otherwise safe network.
When users run a software program or open an application, they have a reasonable expectation that it will perform without causing problems. Simple bugs or glitches are one thing, but actively causing damage is another. If a legitimate and trusted application can be manipulated to execute malicious code or leak data, then it presents a huge risk for the entire network.
Ethical developers have a responsibility to ensure that their applications are reasonably secure. But what goes into application security testing?
Schools of thought
There are two main approaches to application security testing: white box and black box. This refers to whether the tester has access to information on the internal workings of the program or not, respectively. Both are effective for different reasons, and many specific techniques fall under both categories.
White box testing
White box testing typically involves manually reviewing the application’s source code and architecture design, as well as its structure and data flow, to ensure that it is operating correctly, effectively, and securely. This may occur between development phases or proactively during planning and design.