4. Vulnerability Assessment and Penetration Testing (VAPT): Testing phase activities help to identify and address various bugs related to Functionality, User Specification and even to some extent Security aspects that were initially agreed between the Service Provider and their respective Clients/Customers.
Like all the previous phases, security again plays an important role in this phase. A dedicated Security Testing team is put in place whose core responsibility is to identify security vulnerabilities by using some automated penetration testing tools and even manual security analysis to filter out false positives (if necessary).
VAPT is also called as ‘Blackbox Testing’ as the Security professionals have No / very minimal access to the source code and are totally dependent on their past experience, Industry Standards, Organization’s Security Standards and automated tools to identify security vulnerabilities.
The methodology followed in this phase is similar to the one from Develop phase. An example of VAPT Methodology can be something as follows:
To sum it up:
- Prepare and follow a VAPT Methodology
- Identify security vulnerabilities (always consider an Hybrid approach, that is a combination of Automated tool and Manual Security analysis)
- Risk rank each identified vulnerability
- Provide relevant fix recommendations
- Carry forward all artifacts and observations to the next phase of SDLC
Benefits of integrating Security in Phase4:
- Real time security vulnerabilities are addressed
- Some of the Critical vulnerabilities related to Cross-site Scripting (XSS), URL redirects and tampering, Request/Response splitting and more that cannot be identified by SAST tools can be easily identified and fixed