Testing Cloud Services by Kees Blokland & Jeroen Mengerink & Martin Pol

Author:Kees Blokland & Jeroen Mengerink & Martin Pol
Language: eng
Format: epub
Publisher: Rocky Nook Inc.
Published: 2013-03-14T16:00:00+00:00

5.3.4 Testing encryption

Testing whether or not encryption is activated can be done without extensive specialist knowledge. Most modern test tools are able to test messages with and without encryption, and by comparing them, can determine whether a data stream is encrypted. When storing logon data in a database, check that the password is stored in an encrypted form. Encryption has to be switched on for all resources, including mobile devices and equipment at home.

5.3.5 Testing authentication

Authentication procedures are easily testable with functional test techniques. Think about the syntax test (valid/invalid logon data), process cycle test (authentication issuing procedure), and data cycle test (life cycle of authentication).

Unsafe behavior from people is one aspect that has to be addressed in testing authentication. Users are inclined to choose simple passwords that are easily remembered. For this reason, the software often enforces the use of more complex passwords and changing them on a regular basis. These procedures can be tested with a process cycle test. Ensure that accounts for testing purposes are not entered into the production environment.

In principle, combining authentication mechanisms provides better protection. This may cause unforeseen problems, such as when authentication/authorization mechanisms are not correct for an individual. The test approach will need to include normal and error paths.

Example. Often the authentication for internal and external employees differs. Internally, for instance, an employee can be logged on with domain authentication; externally, authentication with a valid token is necessary. It is expected that an internal logon with a valid token but without sufficient permission in the domain is possible. An example is staff who are allowed access to a specific application, but not to the entire environment. This is a situation that is often skipped in testing and can cause problems in production. It happens that the authentication mechanism authenticates the internal for the domain but does not check any further. In this way the token is not recognized and the internal does not get access to the application for which the token authentication is used.

Authentication methods and their strengths and weaknesses are continuously changing. Staying up to date in this field is the work of specialists. When determining which methods to deploy, you must often seek external expertise. Make use of these specialists to understand methods for testing authentication.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.