The security testing process identify real-world vulnerabilities and exploits performing different types of security tests. Such as performing vulnerability scans, penetration tests, control validations, social engineering attacks, web application testing, mobile device testing, etc.
Technical review and testing of all in scope information assets using technical security tools and social engineering techniques. Information assets include technology, digital media (example computer drives), and non-digital media (example paper) and face to face interaction. The three basic areas for security testing include:
- Network security: This involves looking and testing for vulnerabilities in the network infrastructure from both a technical and administrative perspective.
- System security: This consists of reviewing weaknesses in various systems that manages computing hardware. This process includes operating systems, security software utility tools, and supporting configuration.
- Client and Server-side applications: This involves client software (browsers, office software, Adobe, etc.), and Server software (database systems, server code, server-side applications (e-commerce site).
Security testing is critical for validating organizations effectiveness in securing the technical environment. Security testing should be done in conjunction with a risk assessment for empirically supporting all security findings.