security.itworld.com
  Search  
Security Home Page Security Webcasts Security White Papers Security Newsletters Security News Security Topics Careers ITworld Voices ITwhirled The Security site of ITworld.com

Web application security: Getting QA involved

 ITworld.com 8/2/06

Ryan English, SPI Dynamics

Quality assurance (QA) departments have traditionally focused on functional testing -- making sure that an application works properly and performs tasks seamlessly. But it is increasingly important for the QA department to be involved in application security testing, a process that includes complex checks, such as testing for SQL injection and cross-site scripting.

On this topic
Notes on a trading scandal: What went wrong at Société Générale?
Security best practices: CIOs from IBM, Intel, and Symantec share their lessons learned
Securing the Online User Experience: Building User Confidence and Stopping Fraud
Five Security Mistakes to Avoid
Comparing Approaches for Desktop Software Lockdown
Identity Theft Primer
Software Security: Building Security In
Get practical tips, IT news, how-tos, and the best in tech humor.

Choosing the right tool for Web application security testing

The QA department will need application security testing software that is able to perform tests as a non-authenticated user, an authenticated user, and an administrative user to determine the vulnerabilities inherent in each user class. Additionally, the Web application security tool should be able to perform both automated and manual crawling/spidering of your Web application.

Automated application security testing software will spider the entire application by clicking every button and link, filling out data fields to identify the structure of the program, and then auditing each page for vulnerabilities. It should do this from the outside in, reviewing each portion of the site the way an external hacker might, ideally from behind the scenes. This comprehensive approach ensures that all security holes have been identified and can be fixed. On the down side, it can also produce false positives, and it may not be able to access all of your Web pages due to the way that certain pages are coded.

Manual testing allows a user to focus on specific pathways or tasks on a Web site while the software tracks the process. The program can then audit the particular path that the user has taken for security vulnerabilities and provide a report. Manually crawling an application can be time consuming, but it also ensures that specific pages are tracked and analyzed.

Basic guidelines for choosing an application security testing product

The following basic questions should be addressed when you are looking for a Web application security testing product:

  • How easy is the product to use?
  • What kind of training will your QA department require in order to properly use the product?
  • How well does the product integrate with the tools and software that are already used by your organization?
  • How often is the product updated with new security checks - daily, weekly, monthly?
  • What is the false positive rate of the product? While no product is perfect, you want to find a product with as a low a rate as possible so that your resources are not wasted going through false positives.
  • What partnerships does the company that has created the product have in place? Generally, the more partnerships a company has, the more likely the Web application security product will be integrated with commonly used systems and products.
  • Does the product appear to evaluate each page of your application or does it get stuck on certain pages?
  • Does the Web application security product allow the end-user to easily modify scan settings?
  • What kinds of restrictions are in the product's license?
  • Are reports easy to read? Do they contain information on the location of the vulnerability, how to execute it, how to verify it, and how to fix it?
  • Will the vendor allow you to evaluate the product before committing to purchase it?

Conclusion

Web application security is vitally important, and your QA department needs to be involved in order to ensure that your final product is free of security defects. By implementing the proper tools and establishing application security testing early in the QA process, many last-minute security problems will be avoided and you can be confident that you are releasing secure, robust applications.

The ideas expressed in this article are solely those of the author and do not necessarily reflect the opinions of ITworld.com.

 Ryan English is the group product manager for SPI Dynamics, where he oversees product strategy and direction for the company's QAInspect Quality Assurance Security testing product line.
Sponsored Links

Closing the Gap Between Patient and Caregiver
Optical network solutions from AT&T provide scalable, secure bandwidth to keep the health care provider and the patient connected, despite increasing network traffic.
FREE Sophos Threat Detection Test
Scan for viruses, spyware & adware. Is your AV catching everything?
Web Penetration & App Testing
Web Penetration Security Services. 300+ Clients. Free, Quick Quotes!
See how EASY REMOTE SUPPORT can be. Try WebEx FREE!
DELIVER SUPPORT MORE EFFICIENTLY. Remotely Control Applications. Leap Securely through Firewalls!
SOLVE SUPPORT ISSUES on the First Call!
REMOTELY CONTROL AND CONFIGURE SYSTEMS. Easily install applications, updates. All from your Desktop!
» Buy a link now

Advertisements
Sponsored links
Locate Hidden Software on business PCs with this free tool
KODAK i1400 Series Scanners stand up to the challenge
Top 5 Reasons to Combine App Performance and Security
Bring harmony to your mix of UNIX-Linux-Windows computing environments
Home  Policy and standards Best practices
www.itworld.com    open.itworld.com     security.itworld.com     smallbusiness.itworld.com
storage.itworld.com     utilitycomputing.itworld.com     wireless.itworld.com

 
Contact Us   About Us   Privacy Policy    Terms of Service   Reprints  

CIO   Computerworld   CSO   GamePro   Games.net   IDG Connect   IDG World Expo   Infoworld   ITworld   JavaWorld   LinuxWorld  MacUser   Macworld   Network World   PC World   Playlist  

Copyright © Computerworld, Inc. All rights reserved

Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.