Skip to main content

Test and Verify Securely

Learning Objectives

After completing this unit, you’ll be able to:

  • Describe methods for testing and verifying your code or project.
  • Identify the key questions to ask before project release.

Verify Your Project’s Security

You’ve designed your work and built in security at every step of the process. Now it’s time to verify whether the security mitigations you made and the rest of the work you’ve built are secure. 

Testing, Testing, 1, 2, 3

Security is just like any other functionality—you need tests that verify correct implementation. Security testing does two things. It uncovers vulnerabilities in your system so you can fix them, and it verifies that the data and resources of the system are protected from possible intruders. It ensures that the software system and application are free from any threats or risks that can cause a loss. 

In addition to building test code to validate your use cases, you can also build test cases to validate abuse cases. Building an abuse case test requires that you define ways in which an attacker can compromise your application. Then you build test cases to simulate that attack, and ensure that your test evaluation logic validates that the attack does not succeed.

The security requirements you defined during the plan stage of your project guide the tests your team implements. As part of the functional testing your team does to make sure your development works as designed, you also want to add security tests. There are a number of good automated tools for testing. Setting up a plan to do automated testing at regular intervals during the development process helps you catch vulnerabilities that can arise from changes that occur during development. 

It’s also a good idea to have a security engineer do a penetration test. Penetration testing is a procedure for testing the security of a system or software application by making a deliberate attempt to compromise its security. It tests how vulnerable underlying network configurations and operating systems are. This helps to prepare for any possible malicious attacks or avoid the potential breach of data at the hands of an outside party. By documenting the steps taken to try to compromise your system, the penetration tester can provide valuable information to your team on how to mitigate a possible attack from an adversary.

Analysis Testing

There are two powerful analysis methods that you can also run on your development: static analysis and dynamic analysis. Static application security testing (SAST) looks at the source code without executing the program. Dynamic analysis takes the opposite approach and is executed while a program is in operation. Dynamic application security testing (DAST) simulates attacks against a web application and analyzes the application’s reactions, determining whether it is vulnerable. Having originated and evolved separately, static and dynamic analysis have sometimes been mistakenly viewed in opposition. Each has strengths and weaknesses and both can expose security issues in your development so that you can fix them before release.

Dynamic Analysis

Dynamic analysis generally has lower code coverage than static analysis. However, it is easier and more efficient to test and find certain kinds of bugs with confidence using dynamic analysis. There are a number of automated dynamic application security testing (DAST) tools that scan web applications, normally from the outside, to look for the kinds of security vulnerabilities we covered in the module, Security Principles. Some vulnerabilities that dynamic testing can detect include cross-site scripting (XSS), SQL injection, command injection, path traversal, and insecure server configuration. In some cases, like cross-site request forgery (CSRF), dynamic testing is much faster than static analysis. It’s important that you think ahead and match the correct analysis type to the vulnerabilities you’re trying to find. 

Static Analysis

Static code analysis is usually performed as part of a code review. This type of analysis commonly refers to the running of static code analysis tools that attempt to highlight possible vulnerabilities within static (nonrunning) source code.

Static application security testing (SAST) tools are designed to analyze source code, or compiled versions of code, to help find security flaws. One big advantage of SAST tools is that they provide immediate feedback. You want to use these tools during code development so you can prevent vulnerabilities as you work. They are also useful later in the development cycle.

SAST tools allow you to test your source code for application security vulnerabilities and check vulnerabilities in open source code. Using these tools allows you to save time and money by finding and fixing vulnerabilities early.

Ready to Launch

Once you’ve tested your product and fixed issues, be sure to run the modifications through the design, implement, and test stages again. Double check that you’re addressing all of the security requirements and threats you identified along the way.

You’re at the finish line and you’re almost ready to release! You just have to run through a checklist of five questions about the work you and your team have completed.

Did you do the following?

  1. Address all security requirements?
  2. Mitigate security threats?
  3. Evaluate the security of new features and process changes?
  4. Document the process of working on security for the project?
  5. Document the reasons for any unaddressed issues?

Three team members at a table. One sits behind an open laptop and gestures toward two seated team members who give a high-five.

Knowledge Check

Ready to review what you’ve learned? The knowledge check below isn’t scored—it’s just an easy way to quiz yourself. To get started, drag the description in the left column to the appropriate number in the right column representing the order in the sequence. When you finish ordering all the steps, click Submit to check your work. To start over, click Reset.

Great work!

Learning how to test and verify the security of your development will serve you well in all the work you do. Now that you understand how to do that, let’s look at the best ways to maintain security post-release.

Resources

Quiz

Omar’s team is at the release stage for the Mars Explorer application. Omar and his team want to make sure they’re covering all of their bases.

Comparta sus comentarios sobre Trailhead en la Ayuda de Salesforce.

Nos encantaría conocer su experiencia con Trailhead. Ahora puede acceder al nuevo formulario de comentarios cuando quiera desde el sitio de la Ayuda de Salesforce.

Más información Continuar para compartir comentarios