Checklist Testers Should Follow For Application Security Testing

Page 1

Checklist Testers Should Follow For Application Security Testing


Web application security testing has a lot of elements, but even with its complexities, it doesn’t have to be that complicated. The art here is to know what you want, what you require and then take a calculated strategy to focus your efforts on the most significant applications.


The following information puts out the what, when, why and how of most web application security testing situations, including estimating out what practices you need to test, which tools are best suited for the task, the use of vulnerability scanners and scanner validation, and additional standard tests.


1. What needs to be tested? The scope of your security evaluation is significant. You may have your internal specifications, or you may have to understand the requirements of a business associate or client. And you need to get all the best people on board.


It should be clear which apps, network systems and code you require to test; how you will check them; and what your particular expectations are for the deliverables. This incorporates elements for testing any particular user roles.


2. What tools are best suited for the task? At a minimum, web app security testing needs the use of a web vulnerability scanner, like Netsparker or Acunetix Web Vulnerability Scanner. For verified testing, you’ll require to use an HTTP proxy such as Burp Suite, which enables you to attempt to manage user logins, session management, application workflows, and so on.


It must be apparent which apps, network systems and code you require to test; how you will check them; and what your particular expectations are for the deliverables. Other tools are open if source code analysis is a necessity, but be cautious; you get what you spend for with source code analysis tools and, unfortunately, most are pricey.


3. Vulnerability scanning Rather than attempting to build a checklist of every test you want to run for every vulnerability for web app security testing, it’s more accessible to break it down into the essential categories. When running vulnerability scans, make sure your scanners are testing for the significant things, like SQL injection, cross-site scripting and file inclusion.


4. Scanner validation and additional manual checks As with vulnerability scanners, I can’t possibly list all the tests you require to perform because there are so many possible areas for exploitation. The first thing you need to do is verify all your web vulnerability scanner findings to see what’s exploitable and what matters in the context of your application and your business.


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.