February 17, 2012


Web Application Security Testing

In today's world, security is vitally important in software applications. More and more people are using the Internet and computers to perform everyday tasks. Software is everywhere, in your cell phone, car, airplanes, televisions, and don't forget - your home computers. More and more of these appliances are being connected to the Internet. Everyday services, including banking, stock trading and taxes are all moving to an online approach. Today's software is being produced faster than ever. The majority of people using these software applications are unaware about security. With shrinking budgets, tight schedules, and without the knowledge of security testing, software vulnerabilities are everywhere. Software applications are being used by people all over the world. Hence application security testing and especially web application security testing is a must for software products to succeed in today's world.

Security testing, which aims to eliminate the aspects of systems that do not relate to application functionality but to the confidentiality, integrity, and availability of applications, is commonly referred as "nonfunctional requirements (NFR) testing." NFR testing, which is used to determine the quality, se­curity, and resiliency aspects of software, is based on the belief that nonfunctional requirements represent not what software is meant to do, but how the software might do it.

Security testing, when done properly, goes deeper and even beyond the functional testing/black-box probing on the presentation layer. By identifying risks in the system and creating tests driven by those risks, a software security tester can properly focus on areas of code in which an attack is likely to succeed. Software security is about making software behave in the presence of a malicious attack, even though in the real world, software failures usually happen spontaneously — that is, without intentional mischief.

The OWASP (Open Web Application Security Project) Top Ten is a list of the 10 most dangerous current Web application security flaws, which are listed below.

  • Injection
  • Cross-Site Scripting
  • Broken Authentication and Session Management
  • Insecure Direct Object References
  • Cross-Site Request Forgery (CSRF)
  • Security Misconfiguration
  • Failure to Restrict URL Access
  • Invalidated Redirects and Forwards
  • Insecure Cryptographic Storage
  • Insufficient Transport Layer Protection

Security testing takes a different mindset than functional QA testing. A security tester must think of how to break and abuse the application in the same way a black hat hacker or malicious user would. Trying to do something that will cause problems to the underlying code, thinking out of the box, will help the tester considerably in becoming more security oriented.

One of the most prevalent security-related issues to deal with is Input Validation. A functional quality assurance engineer can typically devise a variety of methods to verify the functionality of a feature or component. But a security tester needs to go deeper — he has to think like a malicious user, consider the cases that shouldn't be allowed, input things typical users would not attempt, and try to twist and break that application in any way possible. There are also many open source and licensed automation tools (Acuntix, Zed Attack proxy, Websecurify, etc.) available on the market which perform the dynamic analysis and penetration testing of web application to discover vulnerabilities such as:

  • Client Certificate
  • Proxy-Chaining
  • Local and Remote File Include
  • Cross-Site Scripting
  • SQL injection
  • Information Disclosure Problems
  • Session Security Problems, etc.

If the program is vulnerable to overflows, a lack of input checks, or lacks proper encryption, it will quickly become known for its instability, and product sales will drop dramatically. Customers will purchase alternate products that perform the same task and that have been carefully checked by multiple tests. Thus, as more and more vital data is stored in web applications, and the number of transactions on the web increases, proper and robust security testing of web applications is becoming very important. Web application security testing is the process of determining if confidential data stays confidential, i.e. it is not exposed to individuals/entities for which it is not intended - this is enabled through specialized testing techniques like web application penetration testing - and users can perform only those tasks they are authorized to perform, e.g. a user should not be able to deny the functionality of the web site to other users nor be able to change the functionality of the web application in an unintended way. Hence, web application security and stability cannot be limited to the testing phase only, but must be a consistent and persistent endeavor right from the design phase itself.






For more, visit HCL's software product testing unit.