Web Application Security Testing
security is vitally important in software applications. More and more
people are using the Internet and computers to perform everyday tasks.
Software is everywhere, in your cell phone, car, airplanes, televisions,
and don't forget - your home computers. More and more of these
appliances are being connected to the Internet. Everyday services,
including banking, stock trading and taxes are all moving to an online
approach. Today's software is being produced faster than ever. The
majority of people using these software applications are unaware about
security. With shrinking budgets, tight schedules, and without the
knowledge of security testing, software vulnerabilities are everywhere.
Software applications are being used by people all over the world. Hence
application security testing and especially web application security
testing is a must for software products to succeed in today's world.
Security testing, which aims to eliminate the aspects of systems that do not relate to application functionality but to the confidentiality, integrity, and availability of applications, is commonly referred as "nonfunctional requirements (NFR) testing." NFR testing, which is used to determine the quality, security, and resiliency aspects of software, is based on the belief that nonfunctional requirements represent not what software is meant to do, but how the software might do it.
Security testing, when done properly, goes deeper and even beyond the functional testing/black-box probing on the presentation layer. By identifying risks in the system and creating tests driven by those risks, a software security tester can properly focus on areas of code in which an attack is likely to succeed. Software security is about making software behave in the presence of a malicious attack, even though in the real world, software failures usually happen spontaneously — that is, without intentional mischief.
The OWASP (Open Web Application Security Project) Top Ten is a list of the 10 most dangerous current Web application security flaws, which are listed below.
One of the most prevalent security-related issues to deal with is Input Validation. A functional quality assurance engineer can typically devise a variety of methods to verify the functionality of a feature or component. But a security tester needs to go deeper — he has to think like a malicious user, consider the cases that shouldn't be allowed, input things typical users would not attempt, and try to twist and break that application in any way possible. There are also many open source and licensed automation tools (Acuntix, Zed Attack proxy, Websecurify, etc.) available on the market which perform the dynamic analysis and penetration testing of web application to discover vulnerabilities such as:
Security testing, which aims to eliminate the aspects of systems that do not relate to application functionality but to the confidentiality, integrity, and availability of applications, is commonly referred as "nonfunctional requirements (NFR) testing." NFR testing, which is used to determine the quality, security, and resiliency aspects of software, is based on the belief that nonfunctional requirements represent not what software is meant to do, but how the software might do it.
Security testing, when done properly, goes deeper and even beyond the functional testing/black-box probing on the presentation layer. By identifying risks in the system and creating tests driven by those risks, a software security tester can properly focus on areas of code in which an attack is likely to succeed. Software security is about making software behave in the presence of a malicious attack, even though in the real world, software failures usually happen spontaneously — that is, without intentional mischief.
The OWASP (Open Web Application Security Project) Top Ten is a list of the 10 most dangerous current Web application security flaws, which are listed below.
- Injection
- Cross-Site Scripting
- Broken Authentication and Session Management
- Insecure Direct Object References
- Cross-Site Request Forgery (CSRF)
- Security Misconfiguration
- Failure to Restrict URL Access
- Invalidated Redirects and Forwards
- Insecure Cryptographic Storage
- Insufficient Transport Layer Protection
One of the most prevalent security-related issues to deal with is Input Validation. A functional quality assurance engineer can typically devise a variety of methods to verify the functionality of a feature or component. But a security tester needs to go deeper — he has to think like a malicious user, consider the cases that shouldn't be allowed, input things typical users would not attempt, and try to twist and break that application in any way possible. There are also many open source and licensed automation tools (Acuntix, Zed Attack proxy, Websecurify, etc.) available on the market which perform the dynamic analysis and penetration testing of web application to discover vulnerabilities such as:
- Client Certificate
- Proxy-Chaining
- Local and Remote File Include
- Cross-Site Scripting
- SQL injection
- Information Disclosure Problems
- Session Security Problems, etc.
Much obliged to you for helping individuals get the data they require. Extraordinary stuff not surprisingly. Keep up the colossal work!!!
ReplyDeleteowasp