Saturday, August 8, 2009

Web Application Security Testing

Web Application Security Testing

Security Testing is providing evidence that an application sufficiently fulfills its requirements in the face of hostile and malicious inputs.[Source]

Security is an ongoing process.You need security built into your applications for three primary reasons:

First, any decent hacker can exploit a weakness in any application after becoming familiar with the language it was created in.The Melissa virus is an excellent example of this type of exploit.

Second, application security should be a priority for your organization, because not everyone needs access to every piece of information you may have. As discussed in the chapter, personnel files are a perfect example of information that should be accessible only to a select number of people, based on user rights and privileges.

Third, you need authentication, authorization, and nonrepudiation principles to be an integral part of securing your applications both on the Web and within your private networks.

Examples of different types of security used within organizations:

Digital signatures A digital signature is most often contained within digital certificates, and can be used within documents whether they are encrypted or not.The true value in a digital signature is that it identifies, without question, the originator of the document.

PGP PGP is the standard for e-mail security used by both individuals and corporations.The great benefit of PGP is that it can be used to encrypt and decrypt e-mail messages, and attachments. One additional benefit of PGP is that it can be used anywhere in the world, with the same level of security used in the United States.This is a hard-to-find feature in e-mail security.

SSL and TLS are used for system-to-system authentication and data encryption.They work between the application layer and the network layer, just above TCP/IP, and having them run in this manner allows data to be transferred securely over encrypted connections. etc. [Source]

The most prevalent Web application vulnerabilities are Cross-Site Scripting, Information Leakage, SQL Injection and Predictable Resource Location. As a rule, Cross-Site Scripting and SQL Injection vulnerabilities appears due to system design errors, Information Leakage and Predictable Resource Location are often connected with improper system administration(for example, weak access control). [Source]

Please see in-depth post on SQL Injection, Cookie Testing, Cross-Site Scripting (XSS).

Also See:
How to completely test a Website?
Usability Testing