Cost Effective Web Application Testing
-
Upload
hari-pudipeddi -
Category
Technology
-
view
2.514 -
download
1
description
Transcript of Cost Effective Web Application Testing
Cost Effective Web Application Cost Effective Web Application TestingTesting
Hari Pudipeddiwww.harinathpv.com
What is Inside? What are Web Applications? History… Architecture of Web Applications Testing Web Applications Testing Techniques Test effort in SDLC Tips to speed up your Web App Free Web Testing Tools Introducing OWASP OWASP BoK Q&A
What are Web Applications?
History…• First Generation
• No Sophistication
• Simple form submissions
• CGI (Common Gateway Interface)• 1993 – Late 1990’s
• Encapsulating user data in environ variables
• Hotmail
• Filters• Control access to web site, implement a new framework, or provide security
• Live within the execution context of web server
• Apache web server modules
• Scripting• Scripting languages run code within the web server without being compiled
History…• Flaws of Scripting
• Not strongly typed and do not support good programming practices
• Generally optimized for particular types of data manipulation. Choosing the wrong scripting language hits on the performance of the application.
• It’s difficult (not impossible) to write multi-tier large scale applications
• Most of them do not support remote method or web service calls
• Web Application Frameworks• J2EE
• ASP.NET
Architecture of Web Application
Testing Web Applications
• No Silver Bullet• Think Strategically • Align with the SDLC • Test early and Test often • Understand the end-user
• System configuration• Repetitive requests
• Use the Right TOOLS• Perform White Box • Review Code as much as possible• Develop appropriate metrics for your application
Testing Techniques
• Manual Inspections & Reviews
• • Threat Modeling
Pro’s Con’s•No supporting technology•Can be used to a variety of situations Flexible •Early in SDLC •Promotes Teamwork
•Time Consuming•Supporting material not available•Required significant human thought and skill
Pro’s Con’s• Practical attackers view of the system• Flexible • Early in SDLC
• Relatively New Technique• Good threat models do not mean good software
Testing Techniques
• Source Code Review
• Penetration Testing
Pro’s Con’s• Completeness and Effectiveness• Accuracy • Fast
• Requires highly skilled developers• Can miss issues in libraries• Cannot detect run-time errors • Code analyzed can be difference from code used.
Pro’s Con’s• Can be fast and therefore cheaper• Lower skill set than Code Review• Tests code which is actually exposed
• Too late in SDLC• Front impact testing only
Test Effort in SDLC
Test Effort in Test Technique
Testing Web Applications – Tips to Speed
• Minimize HTTP Requests• Design an Appropriate Content Delivery Network• Expires/Cache – Control Header• Gzip Components• Stylesheets go up• Scripts go down• JavaScript and CSS go out• Minimize JavaScript and CSS• Reduce DNS lookup’s• Avoid Re-directs• Configure ETag’s • Make Ajax Cacheable
Free Web Testing Tools
Jmeter - - Functionality and Performance
QASL – Create automated web application tests
HTTP Test Tool – Scriptable Test Tool for HTTP Protocol solutions
Tellurium – UI based module testing framework
Badboy – Record/Playback, Load Testing
OWASP – The Open Web Application Security Project
www.OWASP.org – Founded in 2001
http://www.owasp.org/index.php/Bangalore - Bangalore Chapter
Development Guide
Testing Guide
Open Source Tools
OWASP Body of KnowledgeOWASP Body of Knowledge
Core Application Security
Knowledge Base
Acquiring andBuildingSecure
Applications
VerifyingApplication
Security
ManagingApplication
Security
ApplicationSecurity
Tools
AppSecEducation and
CBT
Research toSecure NewTechnologies Principles
Threat Agents, Attacks,
Vulnerabilities, Impacts, and
Countermeasures
PrinciplesThreat Agents,
Attacks, Vulnerabilities, Impacts, and
CountermeasuresOWASP Foundation 501c3
OWASP Community Platform(wiki, forums, mailing lists)
Pro
ject
s
Ch
ap
ters
Ap
pS
ec
Co
nfe
ren
ces
Guide to Building Secure Web
Applications and Web Services
Guide to Building Secure Web
Applications and Web Services
Guide to Application Security Testing and Guide to Application
Security Code Review
Guide to Application Security Testing and Guide to Application
Security Code Review
Tools for Scanning, Testing,
Simulating, and Reporting Web
Application Security Issues
Tools for Scanning, Testing,
Simulating, and Reporting Web
Application Security Issues
Web Based Learning
Environment and Guide for Learning
Application Security
Web Based Learning
Environment and Guide for Learning
Application Security
Guidance and Tools for Measuring and
Managing Application
Security
Guidance and Tools for Measuring and
Managing Application
Security
Research Projects to Figure Out How to Secure the Use
of New Technologies (like
Ajax)
Research Projects to Figure Out How to Secure the Use
of New Technologies (like
Ajax)
Thank You