Testing cloud services – Testing security
To cover security risks, many kinds of measures are possible. The field of security is, just like the cloud, in continuous motion and requires regular research on new and updated measures. Security is predominantly about information security. Different standards exist in this field, such as ISO 27001, which differentiates the following three aspects:
- Confidentiality of the data and the accompanying risk that unauthorized people can view the data
- Integrity of data and the accompanying risk that data is altered or lost unintentionally
- Availability of data and the accompanying risk that data (and services) is not available when it is required
The following three questions correspond to the three aspects of information security:
- Who has access to the data?
- Can the user trust that the data is correct?
- Can the user gain access to the data at all times?
Checklist test measures ‘testing security’
- 5.3.1 Assessing network security
- 5.3.2 Inventorying supplier security
- Physical security
- Log files and audit trails
- 5.3.3 Inventorying customer security
- 5.3.4 Testing encryption
- 5.3.5 Testing authentication
- 5.3.6 Testing authorization
- 5.3.7 Testing security robustness against Internet attacks; examples:
- Directory traversal. Read and/or write in directories other than those allowed.
- XML external entity attack. Include extra (bad) data in an XML file.
- SQL injection. Request and/or change data by manipulating SQL queries.
- Cross-site scripting (XSS). Transfer data to other websites without the user knowing.
- Session manipulation. Skip steps or validation in a session.
- 5.3.8 Testing log files and audit trails
- 5.3.9 Testing security patch routines
- 5.3.10 Performing audits