It doesn’t matter if it is website of desktop application – all the options in access security are implemented by “Roles and Rights Management”. This is often has to be done implicitly when covering functionality: for example, the receptionist in the hospital is hardly concerned about the medical tests in the lab because his job is to register patients appointments. That’s why he has no access to the menus, forms and other information related to lab tests as his Role in the Hospital Management System is “Receptionist”.
How to test the access security? When testing this point of the security options all of the Roles should be checked. Tester should create the accounts with all possible Roles. Then he needs to use all of these accounts in order to be sure that every role has an access only to its own forms, menus and screens. If any access conflict is found, this issue should be logged with complete security.
There are three main aspects in data security. The first one is: the particular user should view or utilize only the data he is supposed to view and use. This option is also provided by roles and rights, for example the company’s telesales manager can only view the data about the available stock, but he doesn’t have any access to the information about how much raw materials was bought for production. Testing technique of this aspect has been already explained above.
The second aspect is about how the data is stored in the database. You should understand that all the data which is sensitive must be encrypted in order to make it secure. Especially encryption should be very strong for such an important and sensitive data like passwords to user accounts, numbers of credit cards and other business information.
The third aspect is actually an extension of the second one. It is related to the information flows. When the flow of the sensitive data described above occurs in the application, the proper security level must be provided. It doesn’t matter if the information flow is between different modules of the application of between different apps, the data must be safely encrypted in order to protect it.
It’s not actually necessary to say that all the above aspects should be properly tested before using the application. First, the tester should query the DB for passwords to user accounts, clients billing info and other sensitive data. Then he should verify that all this data is thoroughly encrypted being stored in the database. The proper data encryption should also be checked when transmitting it between different forms and screens. After that the tester should verify if the data is successfully decrypted after reaching the destination. The sensitive information like accounts passwords shouldn’t be displayed within the submission form in any understandable format.
To request a quote for software testing services visit BugHuntress website.