security testing is performed to check whether there is any information outflow in the sense by encrypting the application or using wide range of software’s and hardware's and firewall etc.
The six basic security concepts that need to be covered by security testing are: confidentiality, integrity, authentication, availability, authorization and non-repudiation.
- A security measure which protects against the disclosure of information to parties other than the intended recipient that is by no means the only way of ensuring the security....
- A measure intended to allow the receiver to determine that the information which it is providing is correct.
- Integrity schemes often use some of the same underlying technologies as confidentiality schemes, but they usually involve adding additional information to a communication to form the basis of an algorithmic check rather than the encoding all of the communication.
Authentication involves confirming the identity of a person, tracing the origins of an artifact, ensuring that a product is what its packaging and labeling claims to be, or assuring that a computer program is a trusted one.
The ways in which someone may be authenticated fall into three categories, based on what are known as the factors of authentication: something you know, something you have, or something you are. Each authentication factor covers a range of elements used to authenticate or verify a person's identity prior to being granted access, approving a transaction request, signing a document or other work product, granting authority to others, and establishing a chain of authority.
Security research has determined that for a positive identification, elements from at least two, and preferably all three, factors be verified. The three factors (classes) and some of elements of each factor are:
- ownership factors: Something the user has (e.g., ID card, security token, )
- Knowledge factors: Something the user knows (e.g., Password, (PIN)Personal Identification Number)
- inherence factors: Something the user is or does (e.g., Finger Print, DNA sequence (there are assorted definitions of what is sufficient),signature, face,Retinal Pattern, voice, unique bio-electric signals, or other biometric identifier).
Authorization is the function of specifying access rights to resources, which is related to information security and computer security in general and to access control in particular. More formally, "to authorize" is to define access policy. During operation, the system uses the access control rules to decide whether access requests from consumers shall be approved (granted) or disapproved (rejected). Determining that a requester is allowed to receive a service or perform an operation.
- Assuring information and communications services will be ready for use when expected.
- Information must be kept available to authorized persons when they need it.
Interchange of authentication information with some form of provable time stamp e.g. with session id etc. Nonrepudiation is a way to guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message.