Chapter 7 DXp InformatIon SeCurIty Security Testing As part of application validation, the security testing team should validate all security scenarios for critical business processes and transactions. At a minimum, a security testing process should ensure the following: • Testing the common security scenarios such as session management, input validation, permission issues, authentication, information disclosure, password policies, header validation, cookie validation, and such • Validation of OWASP top ten vulnerabilities • Testing the end-to-end business transactions to exploit any vulnerabilities • Validation of the security configuration (such as directory browsing) for all servers • Testing security error handling scenarios • Conducting automated security testing for testing brute force attacks • Compiling and reporting out the vulnerabilities to all stakeholders along with recommended remediation actions • Manual security testing should look for security issues in the logic and do white box testing. Cloud Testing Most of the modern digital platforms are available on the cloud or they are cloud enabled. Hence organizations should carefully review the security standards and security controls (such as cloud security alliance and cloud control matrix) provided by the cloud provider. All the controls such as network access controls, resource permission controls, monitoring controls, encryption and key management controls, and such should be reviewed by the security team to ensure that they satisfy the security requirements. The following is a sample list of controls that we can check for while choosing a cloud provider: • Encryption controls and standards • Network security support 211