End-to-end security testing, also referred to as end-to-end security penetration testing, describes security testing with all the application components integrated together. Security penetration testing addresses how hackers would try to break into the system. This testing includes:
· Addressing the security issues that appear when components are integrated and end-2-end scenarios is targeted. This testing is focused on integration points, and looking for vulnerabilities created by incorrect assumptions made about each other.
· Accessing the attack surface and identifying all potential points of direct entry into the application.
· Fuzz testing and fault injection on end-2-end scenarios using smartly crafted bad input, deliberately causing various dependencies to fail, disappear, lie, duplicate etc.
· Denial of service attacks: targeting scenarios which may cause exhaustion of system resources (like CPU, memory, network, kernel objects) and custom resources (like shopping baskets). Sometimes good algorithms fall on their faces when fed “exactly incorrect” data. We will look out for these too.
· Client server issues: session hijacking, spoofing, replay of authenticators.
· Man-in-the-middle attacks, eavesdropping, and data tampering
· Input validation on integration scenarios – SQL injection, cross-site scripting, and name canonicalization tests.
· Verifying that the application’s default configuration is the most secure.
· Verifying that the principle of least privilege and separation of privilege is adhered to in the end-to-end scenario. We will also consider social engineering issues and their potential impact.
· Review all uses of cryptography (algorithms, key management).