How to Test Application Security – Web and Desktop Application Security Testing Techniques

Need of Security Testing?

Software industry has achieved a solid recognition in this age. In the recent decade, however, cyber-world seems to be even more dominating and driving force which is shaping up the new forms of almost every business. Web based ERP systems used today are the best evidence that IT has revolutionized our beloved global village.

These days, websites are not meant only for publicity or marketing but these have been evolved into the stronger tools to cater complete business needs. Web based Payroll systems, Shopping Malls, Banking, Stock Trade application are not only being used by organizations but are also being sold as products today.

This means that online applications have gained the trust of customers and users regarding their vital feature named as SECURITY. No doubt, the security factor is of primary value for desktop applications too. However, when we talk about web, importance of security increases exponentially. If an online system cannot protect the transaction data, no one will ever think of using it. Security is neither a word in search of its definition yet, nor is it a subtle concept. However, I would like to list some complements of security.

Security Testing

Examples of security flaws in an application:

1) A Student Management System is insecure if ‘Admission’ branch can edit the data of ‘Exam’ branch
2) An ERP system is not secure if DEO (data entry operator) can generate ‘Reports’
3) An online Shopping Mall has no security if customer’s Credit Card Detail is not encrypted
4) A custom software possess inadequate security if an SQL query retrieves actual passwords of its users

Security Testing Definition:
Now, I present you a simplest definition of Security in my own words. “Security means that authorized access is granted to protected data and unauthorized access is restricted”. So, it has two major aspects; first is protection of data and second one is access to that data. Moreover, whether the application is desktop or web based, security revolves around the two aforementioned aspects. Let us have an overview of security aspects for both desktop and web based software applications.

Desktop and Web Security Testing:
A desktop application should be secure not only regarding its access but also with respect to organization and storage of its data. Similarly, a web application demands even more security with respect to its access, along with data protection. Web developer should make the application immune to SQL Injections, Brute Force Attacks and XSS (cross site scripting). Similarly, if the web application facilitates remote access points then these must be secure too. Moreover, keep in mind that Brute Force Attack is not only related to web applications, desktop software is also vulnerable to this.

I hope this foreword is enough and now let me come to the point. Kindly accept my apology if you so far thought that you are reading about the subject of this article. Though I have briefly explained software Security and its major concerns, but my topic is ‘Security Testing’. In order to know further details of security aspects, kindly refer to – Web application security testing article.

I will now explain how the features of security are implemented in software application and how should these be tested. My focus will be on Whats and Hows of security testing, not of security.

Security Testing Techniques:

1) Access to Application:

Whether it is a desktop application of website, access security is implemented by ‘Roles and Rights Management’. It is often done implicitly while covering functionality, a Hospital Management System a receptionist is least concerned about the laboratory tests as his job is to just register the patients and schedule their appointments with doctors. So, all the menus, forms and screen related to lab tests will not be available to the Role of ‘Receptionist’. Hence, the proper implementation of roles and rights will guarantee the security of access.

How to Test: In order to test this, thorough testing of all roles and rights should be performed. Tester should create several user accounts with different as well multiple roles. Then he should use the application with the help of these accounts and should verify that every role has access to its own modules, screens, forms and menus only. If tester finds any conflict, he should log a security issue with complete confidence.

2. Data Protection:

There are further three aspects of data security. First one is that a user can view or utilize only the data which he is supposed to use. This is also ensured by roles and rights e.g. a TSR (telesales representative) of a company can view the data of available stock, but cannot see how much raw material was purchased for production.

So, testing of this aspect is already explained above. The second aspect of data protection is related to how that data is stored in the DB. All the sensitive data must be encrypted to make it secure. Encryption should be strong especially for sensitive data like passwords of user accounts, credit card numbers or other business critical information. Third and last aspect is extension of this second aspect. Proper security measures must be adopted when flow of sensitive or business critical data occurs. Whether this data floats between different modules of same application, or is transmitted to different applications it must be encrypted to make it safe.


How to Test Data Protection: The tester should query the database for ‘passwords’ of user account, billing information of clients, other business critical and sensitive data and should verify that all such data is saved in encrypted form in the DB. Similarly (s)he must verify that between different forms or screens, data is transmitted after proper encryption. Moreover, tester should ensure that the encrypted data is properly decrypted at the destination. Special attention should be paid on different ‘submit’ actions. The tester must verify that when the information is being transmitted between client and server, it is not displayed in the address bar of web browser in understandable format. If any of these verifications fail, the application definitely has security flaw.

3. Brute-Force Attack:

Brute Force Attack is mostly done by some software tools. The concept is that using a valid user ID, software attempts to guess the associated password by trying to login again and again. A simple example of security against such attack is account suspension for a short period of time as all the mailing applications like ‘Yahoo’ and ‘Hotmail’ do. If, a specific number of consecutive attempts (mostly 3) fail to login successfully, then that account is blocked for some time (30 minutes to 24 hrs).

How to test Brute-Force Attack: The tester must verify that some mechanism of account suspension is available and is working accurately. (S)He must attempt to login with invalid user IDs and Passwords alternatively to make sure that software application blocks the accounts that continuously attempt login with invalid information. If the application is doing so, it is secure against brute-force attack. Otherwise, this security vulnerability must be reported by the tester.

The above three security aspects should be taken into account for both web and desktop applications while, the following points are related with web based applications only.

4. SQL Injection and XSS (cross site scripting):

Conceptually speaking, the theme of both these hacking attempts is similar, so these are discussed together. In this approach, malicious script is used by the hackers in order to manipulate a website. There are several ways to immune against such attempts. For all input fields of the website, field lengths should be defined small enough to restrict input of any script e.g. Last Name should have field length 30 instead of 255. There may be some input fields where large data input is necessary, for such fields proper validation of input should be performed prior to saving that data in the application. Moreover, in such fields any html tags or script tag input must be prohibited. In order to provoke XSS attacks, the application should discard script redirects from unknown or untrusted applications.

How to test SQL Injection and XSS: Tester must ensure that maximum lengths of all input fields are defined and implemented. (S)He should also ensure that defined length of input fields does not accommodate any script input as well as tag input. Both these can be easily tested e.g. if 20 is the maximum length specified for ‘Name’ field; and input string “<p>thequickbrownfoxjumpsoverthelazydog” can verify both these constraints. It should also be verified by the tester that application does not support anonymous access methods. In case any of these vulnerabilities exists, the application is in danger.

5. Service Access Points (Sealed and Secure Open)

Today, businesses depend and collaborate with each other, same holds good for applications especially websites. In such case, both the collaborators should define and publish some access points for each other. So far the scenario seems quite simple and straightforward but, for some web based product like stock trading, things are not so simple and easy. When there is large number of target audience, the access points should be open enough to facilitate all users, accommodating enough to fulfill all users’ requests and secure enough to cope with any security-trial.

How to Test Service Access Points: Let me explain it with the example of stock trading web application; an investor (who wants to purchase the shares) should have access to current and historical data of stock prices. User should be given the facility to download this historical data. This demands that application should be open enough. By accommodating and secure, I mean that application should facilitate investors to trade freely (under the legislative regulations). They may purchase or sale 24/7 and the data of transactions must be immune to any hacking attack. Moreover, a large number of users will be interacting with application simultaneously, so the application should provide enough number access point to entertain all the users.

In some cases these access points can be sealed for unwanted applications or people. This depends upon the business domain of application and its users, e.g. a custom web based Office Management System may recognize its users on the basis of IP Addresses and denies to establish a connection with all other systems (applications) that do not lie in the range of valid IPs for that application.

Tester must ensure that all the inter-network and intra-network access to the application is from trusted applications, machines (IPs) and users. In order to verify that an open access point is secure enough, tester must try to access it from different machines having both trusted and untrusted IP addresses. Different sort of real-time transactions should be tried in a bulk to have a good confidence of application’s performance.  By doing so, the capacity of access points of the application will also be observed clearly.

Tester must ensure that the application entertains all the communication requests from trusted IPs and applications only while all the other request are rejected. Similarly, if the application has some open access point, then tester should ensure that it allows (if required) uploading of data by users in secure way. By this secure way I mean, the file size limit, file type restriction and scanning of uploaded file for viruses or other security threats. This is all how a tester can verify the security of an application with respect to its access points.

If you enjoy reading this article please make sure to share it with your friends. Please leave your questions/tips/suggestions in the comment section below and I’ll try to answer as many as I can.

Recommended reading


#1 Dennis Guldstrand

Well written. I like your simple, but to the point, definition of security testing:
“Security means that authorized access is granted to protected data and unauthorized access is restricted.”

We use a similar description description, and it helps to keep focus on what the core reason for what we are doing something (within security testing) is.

#2 Ankit

Valuable and brief

#3 RAmani


#4 Anu

Thank you for the article. Very informative. The section “How to Test Service Access Points” is more informative.


#5 aruna

Wow. very well defined and expressed the depth with clear examples. Thanks .

#6 Sushil Pansare

Nice info.

#7 Rajesh Reddy

This article has helped me to get good insight on security related vulnerabilities and how to test those cases.
Thanks for your very good effort in articulating it in a easy & understandable manner.

#8 Pratap

Hi all

Can anybody tell me how to test a website in which

“iFrames” plays a very important role.

i mean few things that i must remember while testing

these kind of site ?

plz help me guys

#9 Tal

Great stuff. thank you for the info!

#10 anil yadav

hi all
can anyboby tell me software testing in jaipur

#11 Imran

Hi All,

In most of the interviews they are asking this question.

Explain Test Plan & Test Strategy ?

Can anyone give a breif or a link for the answer for this question if its available in this website.

#12 m

very well. thanks

#13 Anand Nandargi

good one..lyk it..

#14 Karthik

Very good one

#15 Sanju

v.gud article

#16 Gaurav Khanna

Nice Article. Thumbs Up. :)

#17 Digvijay

Hey! could you please provide the information about how to analyze the jmeter load test report.

#18 Lakshmi

Good information for all the topics…………please keep going on like this

#19 Deepak Kashyap

Good..Very Good…

#20 Rishi Mathur


#21 suman

Good article. Verymuch useful for the Testers.

#22 sagar

Testing job

Dont join Seed Infotech & SQTL Pune & Mumbai People .
Telll other not to join it

Apply ur cv Capgemini, chennai

#23 ajit pawar

wow it’s a good example…

#24 ajit pawar

please give me some sites or references to apply job in testing field.i have sound knowledge in manual testing.

#25 Zara

well written …thanks

#26 Yamraaj

Excellent article.
Comprehensive and convincing, covering almost all the major areas of security and security testing in the field of softwares.

#27 Nagesh

I Need The qtp Advanced interview questions

#28 Nagesh

I Am Looking for Software Testing Opening With 3+ yrs of exp If Any One Find the opening in any company
ple send me the details on

#29 Amit

Hi..please give me some sites or references to apply job in testing field.i have sound knowledge in manual testing.

#30 Mohan

Excellent knowledge spreaded!!! looking forward more stuff like this….Thanks a lot

Can you please publish article related to QTP and Load runner more!!!

#31 Deepak Kumar

Thanks for such a knowledgable information.

#32 Eugenia Yakhnin

Excellent article! Simple and clear, useful in the daily work, thanks.

#33 kumar

Nice post, I’m little bit expecting some more examples on your post.

#34 kumar

Hi am new in QTP, Can any one post vb script tutorials to learning purpose.

Please mail me if you found any

#35 Svetlana

Thank you for a great article and useful tips, guys!

#36 ravindra

Really good keep it going with different advanced concepts

#37 ravindra

good and helpful

#38 ravindra

thanku very much for providing the valuable information

#39 swati

This site is awsome!!!! Whichever topic the respective author has explained, they have done a great job!!! information shared is so helpful,concise and easily understood!! Just Awsome!! :)

#40 JD

How to Performed security testing of basic levels in the Finance Tracker application??

If someone help me..


#41 Maheedhar

Well said.. nice topic with interesting definitions which can be easily understandable.

Good going…

#42 Asad

Well Summurized

#43 Asad

Well Summarized

#44 Deepti

Well written article. I have read some of your other articles too and all of them and simple enough to understand. I also liked the examples used in above article. Keep up the good work.

#45 Ajju

Simply clear…

#46 Satish

How to test XSS (cross site scripting)?

#47 Rajendra Rajput

this is very2 good Helpful place!

#48 Supriya

Please clearify how to do Xss test.I have a site to test,and this is my first time to test,no training has provided ,so please give me some solutions.

#49 M.Siddiqui

No doubt, Very informative article, I liked it.

#50 Srilekha

Send me Resumes to this mail. Well give placements free of cost

#51 maoj


#52 Abdul

Its very helpful description. Described how to handle security concerns of software in very simple words

#53 Naresh

Am Looking for Software Testing Opening With 3+ yrs of exp in banking domain applications. If Any One Find the opening in any company
please send me the details on

#54 Cally

Thanks so much for this article; it is very informative. I especially appreciate your clear and concise explanations of all five security testing techniques. My favorite technique that was mentioned was “Data Protection” and the three aspects of data security it provides. All three of these aspects on data protection is extremely helpful in understanding and using application security testing.

Get a free application security scan

Hope this helps!

#55 Cally

Thanks so much for this article; it is very informative. I especially appreciate your clear and concise explanations of all five security testing techniques. My favorite technique that was mentioned was “Data Protection” and the three aspects of data security it provides. All three of these aspects on data protection is extremely helpful in understanding and using application security testing.
Get a free application security scan
Hope this helps!

#56 Prajakta

Hi, i am a beginner in the pen testing field, want to know the in & out of Vulnerability Assessment & Penetration Testing(VAPT), i.e want the knowledge of OWASP listed vulnerabilities, how to find them(step by step detail) in thin and thick client using automated & by manual process. please email me regarding the same.
my Email ID:

#57 vikram

Am Looking for Software Testing Opening With 1 yrs of exp . If Any One Find the opening in any company
please send me the details on

#58 Riham

what a great article !!

Thanks a lot :)

#59 rajesh

#Srilekha please give ur details to send resume.

#60 Kishna Patel

Hello … Inder ,
I want to execute sql injection then how can I start? I have ready made DB and I used mySQLQuary Browser. What is the first step ?

#61 Qazi

Awesome article. Very informative and helpful for junior as well as senior testers.

Great Job. Thanks

#62 Soumi

How to perform Security testing for a Virtual data room software

#63 Kathy

I enjoyed this article very much. Thank you!

#64 bhawani

Hi can someone please tell me how it is decided on the basis of IP address that data is coming for reliable/non reliable address? Is there a list of reliable IP addresses?

#65 Ken Crismon

In regards to Desktop application security testing… Is there some discrete thoughts exclusively focused on Desktop security ideals? Articles? Thoughts?

#66 sumanth

I need what is the flow to start security testing and plz give with any application with example.And is their any code writing in the tool.please give me clarification on that.

#67 praveen

I am looking for change of company having 5+ yrs , in testing ,, if any body knows the opening please let me know

#68 Arpit Jain

How to test security either manual or automated by tool for desktop application like “Point of sale”
Please suggest me.

Thanks in advance.

#69 Aishwarya

U have given the crux of Security Testing. Well presented. Thanks :)

#70 Soundar

How can we do the security testing. without tool. Pls advice me.

#71 Muhamamd Zeeshan

U have given the crux of Security Testing. Well presented. Thanks :)

#72 karthi

Very simple and clear language used. Thanks a lot

#73 M.Chaitanya

Very useful.

#74 Gehad

very good, thanks alot :)

#75 yogesh

its a good article about the security testing It will be great if you can please add some more details on the security testing for a desktop application.

Thanks a lot.

#76 Krupa Bhusari

Informative article. Kindly informed if having any vacancy for fresher Software Tester on

Leave a Comment