Skip to content
English

Business goals of security testing

Security testing serves three main business goals: compliance, risk management, and quality assurance. These goals are not mutually exclusive. They can be applied separately or together.

Compliance eli vaatimustenmukaisuus

Compliance means identifying and meeting external requirements such as laws, regulations, standards, or customer-specific demands. Sometimes, instead of running a product-specific risk analysis, an organization may choose to follow a recognized security standard such as ISO 27001 at the organizational level or OWASP ASVS for web applications.

In this approach, security is demonstrated through independent audits that verify requirements have been met. The residual risk lies in areas of security not covered by these requirements but still present in the system or application.

 

Risk management

Risk management addresses security risks that stem from the specific characteristics of a system or application, such as its technology, functionality, data, user interface, or integration points, especially where compliance requirements do not apply.

While many risks are already covered by compliance, no standard can capture every possible case. For the remaining risks, the options are to either accept them or reduce them. Reduction typically involves performing a technical threat model to identify likely attack vectors and then selecting appropriate security controls.

Together, these controls form the security architecture. Controls are usually grouped into three categories: preventive, detective, and corrective. They may be technical, such as authentication mechanisms, or administrative, such as access management policies.

Quality assurance

Quality assurance covers people, processes, and the system or application itself. Security requirements define functional controls like authentication and access checks, but non-functional aspects are just as important. These include the quality of implementation, such as robust error handling and preparing for failure scenarios.

Common security weaknesses

Security weaknesses usually fall into three categories: design flaws, coding errors, and configuration mistakes.

  • Design flaws occur when requirements are incomplete or misinterpreted, often because risks or threats were not properly identified.
  • Coding errors arise when systems fail under exceptional or unexpected use cases. These should ideally be detected during development through unit or integration testing.
  • Configuration mistakes happen in operational security once the system is live. For example, if more features are exposed than necessary or if third-party component updates and vulnerabilities are not tracked.
Next in the buyer’s guide

Looking for more insight into security testing?

Reach out and let’s discuss how we can support your goals.