Web application security: Getting QA involved

by Ryan English

August 2, 2006 —

Quality assurance (QA) departments have traditionally focused on functional testing -- making sure that an application works properly and performs tasks seamlessly. But it is increasingly important for the QA department to be involved in application security testing, a process that includes complex checks, such as testing for SQL injection and cross-site scripting.

Choosing the right tool for Web application security testing

The QA department will need application security testing software that is able to perform tests as a non-authenticated user, an authenticated user, and an administrative user to determine the vulnerabilities inherent in each user class. Additionally, the Web application security tool should be able to perform both automated and manual crawling/spidering of your Web application.

Automated application security testing software will spider the entire application by clicking every button and link, filling out data fields to identify the structure of the program, and then auditing each page for vulnerabilities. It should do this from the outside in, reviewing each portion of the site the way an external hacker might, ideally from behind the scenes. This comprehensive approach ensures that all security holes have been identified and can be fixed. On the down side, it can also produce false positives, and it may not be able to access all of your Web pages due to the way that certain pages are coded.

Manual testing allows a user to focus on specific pathways or tasks on a Web site while the software tracks the process. The program can then audit the particular path that the user has taken for security vulnerabilities and provide a report. Manually crawling an application can be time consuming, but it also ensures that specific pages are tracked and analyzed.

Basic guidelines for choosing an application security testing product

The following basic questions should be addressed when you are looking for a Web application security testing product:

How easy is the product to use?
What kind of training will your QA department require in order to properly use the product?
How well does the product integrate with the tools and software that are already used by your organization?
How often is the product updated with new security checks - daily, weekly, monthly?
What is the false positive rate of the product? While no product is perfect, you want to find a product with as a low a rate as possible so that your resources are not wasted going through false positives.
What partnerships does the company that has created the product have in place? Generally, the more partnerships a company has, the more likely the Web application security product will be integrated with commonly used systems and products.
Does the product appear to evaluate each page of your application or does it get stuck on certain pages?
Does the Web application security product allow the end-user to easily modify scan settings?
What kinds of restrictions are in the product's license?
Are reports easy to read? Do they contain information on the location of the vulnerability, how to execute it, how to verify it, and how to fix it?
Will the vendor allow you to evaluate the product before committing to purchase it?

Conclusion

Web application security is vitally important, and your QA department needs to be involved in order to ensure that your final product is free of security defects. By implementing the proper tools and establishing application security testing early in the QA process, many last-minute security problems will be avoided and you can be confident that you are releasing secure, robust applications.

The ideas expressed in this article are solely those of the author and do not necessarily reflect the opinions of ITworld.com.

SPI Dynamics