When two systems or a user and a system can interact with each other, the exchange of data occurs via an interface. Interfaces allow systems to exchange data with each other, other applications, other systems, and users. Interface testing is used to validate whether systems or components pass data and control information properly. This systematic evaluation of the interface’s functionality helps ensure the integrity and possibly the confidentiality and availability of the data and services provided by the application. Interface testing can be conducted by both developers and end users, but penetration testers and security professionals may also perform interface testing as part of their efforts.
Interface testing will typically assess the following:
- If the interface responds as expected
- How the interface handles errors, if it responds to them appropriately
- How the interface deals with unexpected input, or a lack of required input
- What the interface does when there is a connectivity issue
- The security of the interface and the data that it sends through it
Interface testing may require components on both ends of a system to be tested or for multiple elements in an infrastructure to be validated. External interfaces such as APIs, web services, and servers’ services are all frequently tested by security professionals to ensure that they are not vulnerable, leaking data, or exposed beyond their designed accessibility. Internal interfaces for programs, operating system kernels and services, and other similar components may also be tested by security professionals, particularly those who develop security tools or who work to defeat malware.
Interface testing is a common part of a typical software development lifecycle (SDLC). In the SDLC, interface testing can ensure user-friendliness within the application. It can also identify issues such as proper error handling in addition to unexpected behaviors. For instance, do transactions maintain their integrity in all circumstances, including an interruption of the transaction? Are errors handled properly, or do they divulge sensitive information?
Server interface testing can also ensure that server to server, server to database, and web application to server communication is performed as expected. Testing should be conducted with a variety of browsers to ensure that each browser performs as expected. Other factors that can cause a test to succeed or fail include the presence of browser plugins. Testing should include examining the functionality of the site with and without plug- ins enabled.
Website links should work, and linked documents should be accessible on a variety of operating system platforms. It may be useful to determine whether encryption is necessary based on the contents of the site. Identify whether the copy and paste functions are secure and justifiable from a business perspective. Other elements of the test can answer questions such as these:
- If the website returns an error, does it divulge sensitive information, such as source code, directory listings, or system paths?
- Other elements can be tested as well, such as the interface’s functionality, performance, usability, intuitiveness, and user satisfaction. Interface testing can ensure the application adheres to security requirements and meets the needs of the organization.If the application crashes, does it recover gracefully and automatically, or is intervention or a reboot required?
- If a transaction is interrupted, does it gracefully recover?
- Do interruptions cause a loss of data or necessitate a re-creation of work performed?
- Does inactivity log out the user and cancel a transaction?
- Does the system recover the session gracefully after a browser crash?
- Are cookies used, and do they store sensitive information?
