Today, millions of web applications exist to make our lives easier and much more interesting. We can shop online, pay bills, chat with friends and relatives, or communicate with people all over the world who have the same hobbies and interests as ours… Web applications make us feel as if we can make everything we imagine happen on the web.

But not all of us have the same perception of those applications.  The reality is that there are always “malicious” attackers trying to destroy the web “paradise” by attacking web applications and stealing data. That means that John and Jane Doe, who communicate and share information, are almost never alone. The “malicious” Eve is always lurking, waiting for the perfect moment to attack.


SECURITY TESTING

In order to develop secure applications, it is necessary to use a security development lifecycle. Security should be considered and tested throughout the application project lifecycle, especially when the application deals with crucial information and data that is of great importance. Web application security testing is a process that verifies that the information system protects the data and maintains its intended functionality. It involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities.  The primary purpose is to identify the vulnerabilities, and subsequently repairs them. The six basic security concepts are:

  • Confidentiality – Information should be accessible to only those with authorized access
  • Integrity – A measure intended to allow the receiver to determine that the information which it is providing is correct
  • Authentication – Establishes the identity of the user
  • Authorization – User should receive a service or perform an action for which he has permission
  • Availability – Information and communication services should be ready any time, as needed
  • Non-repudiation – Prevent later denial that an action happened

 

WHAT IS SO DIFFERENT ABOUT SECURITY

Security testing is a critical challenge for test engineers. They face the problem of insecure software, which is perhaps one of the most crucial technical problems of our time.  It’s difficult to make software behave correctly in the presence of malicious attacks.

The test engineers who perform security testing need to understand the specifications and logic implemented in the application, and must examine all possible scenarios under which the application can be cracked. This is extremely difficult.
They’re required to have excellent knowledge, but also be able to play the role of creative hacker in order to predict their steps and protect the application.

 

Author:
Natasha Urdovska,
Quality Assurance Engineer