What are the most common security testing mistakes?

In addition to having a comprehensive plan, security testing should be performed beyond the restrictions that come with point in time testing. Historical pain points if any and future plans of implementation of current test scope should be a critical factor.

One of the most common security testing mistakes is to perform security testing without a clear and comprehensive plan that defines the scope, objectives, methods, tools, and metrics of the testing process. A security testing plan helps to ensure that the testing is consistent, systematic, thorough, and aligned with the business and technical requirements of the system or application. Without a security testing plan, the testing may be incomplete, inaccurate, inefficient, or irrelevant.

Effective security testing requires a multidisciplinary approach. Common mistakes include inadequate risk assessment leading to undetected vulnerabilities, failure to adjust compliance resulting in legal penalties, and lack of governance leading to overlooked weaknesses, Neglecting business impact analysis can result in financial loss and reputational damage. Furthermore, a static testing approach, without considering evolving threats such as AI-based attacks or human-related vulnerabilities, can expose the system to modern cyberthreats.

A security testing plan should not only provide detailed information about the test phase, including important information such as testing purpose, in-scope, out-of-scope items, timeline, tools, testing risks, and contact points, but also support testers in obtaining test approval. Before running the test, stakeholders must approve all test plans to prevent the risk of executing them without informing project members.

Another common security testing mistake is to use the wrong or outdated tools and techniques for the testing. Security testing requires a variety of tools and techniques that can help to identify and exploit different types of vulnerabilities and risks, such as SQL injection, cross-site scripting, broken authentication, insecure data storage, and so on. The tools and techniques should be chosen based on the characteristics and features of the system or application, as well as the security testing objectives and criteria. Using the wrong or outdated tools and techniques may result in false positives, false negatives, or missed vulnerabilities.

A third common security testing mistake is to test from only one perspective, such as the developer, the user, or the attacker. Security testing should be performed from different perspectives to ensure that the system or application is secure from all possible angles and scenarios. For example, testing from the developer's perspective may help to check the code quality and compliance with security standards and best practices, testing from the user's perspective may help to check the usability and functionality of the security features and controls, and testing from the attacker's perspective may help to check the resilience and robustness of the system or application against malicious attacks.

Most of us software testers are not cybersecurity experts. Sure, we might dabble in some basic stuff like messing around with SQL injections or "hacking" URL query strings, but let's be real—that's not gonna cut it for actual security testing. If you want to do security testing the right way, you have to bring in someone who really knows their stuff in that area. Just because you've done some functional testing on a login page doesn't mean you've covered the security angle.

One of the most common issues in security testing is when the security tester fails to share the test plan with all relevant stakeholders. This can lead to various problems like spam data in the database, server crashes during the test scanning, and lack of transparency in the testing progress. It is essential to avoid this mistake to ensure effective security testing.

During the testing phase, it is crucial to document all test reports and outputs. This helps to monitor progress, share information with the team, and follow up more efficiently. Testing reports also aid in resolving issues quickly and provide relevant stakeholders with sufficient information.

One common mistake among new security testers is trusting that everything coming from the tool is correct and dumping it as it is into the report. It should not be forgotten that a tool at best sheds light on risky areas according to its testing parameters. Understanding of the weaknesses highlighted by the tool and how it can be misused as well proper mitigative measures is still dependent on the knowledge, skills and experience of the tester. Also, the recommendation from the tools are mainly technical. A good tester understands that not only technical but also strategic recommendations will reduce the likelihood of similar weaknesses appearing and having similar criticality in the future.

One mistake that can really put you in a bad spot is giving in to scope creep from your client. Scope creep in security testing introduces challenges like inaccurate resource planning, increased costs, project delays, decreased effectiveness, overwhelmed security teams, unrealistic expectations, and increased risk of unintended consequences. Mitigation strategies include clear objectives, regular communication, scope reviews, prioritization, and adopting an agile approach. Addressing scope creep is crucial for maintaining the integrity and success of the security test, ensuring that it aligns with organizational goals and security needs.

Make sure to understand exactly what the ROE entails - check the scope and limitations of the assessment and make a plan-of-action before starting testing!! I've seen and heard of stories of people who don't properly read the ROE or don't understand what the scope and limitations are...then later mess up bc of missing or forgetting to test a system/systems... Communicate with your team members - ask questions to verify/confirm - never assume!!