Web Application Testing & Security Vulnerabilities:

Web applications are becoming more prevalent and increasingly more sophisticated, and as such they are critical to almost all major online businesses. I have not done much of web application testing, but would like to share what I want to say. I had a chance to view an article some time back on web application development .Revolving on that axis; I would like to share with you my views on web application testing and Vulnerabilities.

Present trend in web development and testing:

Today more dynamic and unique content is added to the websites, and users demand even MORE functionality so that they can do everything, this results in “functionality” to be only major objective and hence testing is concentrated on that. This leads to security of the web applications to be left behind, which contributes to vulnerabilities in the web applications. Generally, bugs identified by QA are functional in nature and others are security bugs, which largely go unidentified.

According to some surveys I read in articles, says:

“70% of attacks against a company’s website or web application come at the ‘Application Layer’ not the network or system layer.”

“Web application incidents cost companies more than $320,000,000 in 2001.”

And there are many more examples.

What are Vulnerabilities?

In a typical developed web application,

1. There are stuffs which the application is supposed to do;
2. There are stuffs which application was supposed to do, but doesn’t do. These are functionality defects and ,
3. There are stuffs which the application also can do but we are not aware of it .These are security Vulnerabilities.

There is some fundamental gap between QA and development, which creates these web application vulnerabilities.

As an application developer, they develop great features and functions while meeting deadlines, but they lack to develop their web application with security in mind.

As a QA Professional, we lack investigation on how web applications are supposed to work, so we deploy a protective solution…but don’t know if it’s protecting what it’s supposed to.

As a QA ,what we can do?

• Must test applications not only for functionality but also for security
• Must test environments for potential flaws and insecurities
• Require automated testing products that integrate into current environment
• Must provide detailed security flaw reports to development
• Must continually test application in a real world environment to asses impact of ongoing code changes
• Must act as resource for what is and is not acceptable
• Define regulatory requirements during the Definition phase of the Application Life-cycle
• Must check for different Application penetration testing ways such as un-validated input testing, Injection Flaws, Cross Site Scripting (XSS) Flaws, Cookie Poisoning, etc
• Must look for all levels of web vulnerabilities
  • Platform
  • Informational
  • Application

The above list is what I thought-of to avoid/minimize vulnerabilities in web application. I would like to hear more from others!