SlideShare a Scribd company logo

Cost effective web application testing

Download as PPT, PDF
Harinath Pudipeddi, profile picture
Harinath Pudipeddi

This document provides an overview of web application testing, including: - A brief history of web applications and how they have evolved from simple forms to complex multi-tier frameworks. - The main techniques for testing web applications, such as manual testing, threat modeling, source code review, and penetration testing. - Where in the software development lifecycle different test techniques should be applied. - Tips for optimizing web applications to improve performance and speed up testing. - An introduction to free web testing tools and the Open Web Application Security Project (OWASP), an organization dedicated to improving web application security.

Technology
Related topics:
Software Testing Insights Web-Testing
1 of 15
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Cost Effective Web Application Testing Hari Pudipeddi www.harinathpv.com harinath@dazasya.in
What is Inside? What are Web Applications? History… Architecture of Web Applications Testing Web Applications Testing Techniques Test effort in SDLC Tips to speed up your Web App Free Web Testing Tools Introducing OWASP OWASP BoK Q&A
What are Web Applications?
History… First Generation No Sophistication Simple form submissions CGI (Common Gateway Interface) 1993 – Late 1990’s Encapsulating user data in environ variables Hotmail Filters Control access to web site, implement a new framework, or provide security Live within the execution context of web server Apache web server modules Scripting Scripting languages run code within the web server without being compiled
History… Flaws of Scripting Not strongly typed and do not support good programming practices Generally optimized for particular types of data manipulation. Choosing the wrong scripting language hits on the performance of the application. It’s difficult (not impossible) to write multi-tier large scale applications Most of them do not support remote method or web service calls Web Application Frameworks J2EE ASP.NET
Architecture of Web Application
Testing Web Applications No Silver Bullet Think Strategically Align with the SDLC Test early and Test often Understand the end-user System configuration Repetitive requests Use the Right TOOLS Perform White Box Review Code as much as possible Develop appropriate metrics for your application
Testing Techniques Manual Inspections & Reviews Threat Modeling Pro’s Con’s No supporting technology Can be used to a variety of situations Flexible Early in SDLC Promotes Teamwork Time Consuming Supporting material not available Required significant human thought and skill Pro’s Con’s Practical attackers view of the system Flexible Early in SDLC Relatively New Technique Good threat models do not mean good software 
Testing Techniques Source Code Review Penetration Testing Pro’s Con’s Completeness and Effectiveness Accuracy Fast Requires highly skilled developers Can miss issues in libraries Cannot detect run-time errors Code analyzed can be difference from code used. Pro’s Con’s Can be fast and therefore cheaper Lower skill set than Code Review Tests code which is actually exposed Too late in SDLC Front impact testing only
Test Effort in SDLC Test Effort in Test Technique
Testing Web Applications – Tips to Speed Minimize HTTP Requests Design an Appropriate Content Delivery Network Expires/Cache – Control Header Gzip Components Stylesheets go up Scripts go down JavaScript and CSS go out Minimize JavaScript and CSS Reduce DNS lookup’s Avoid Re-directs Configure ETag’s Make Ajax Cacheable
Free Web Testing Tools Jmeter - - Functionality and Performance QASL – Create automated web application tests HTTP Test Tool – Scriptable Test Tool for HTTP Protocol solutions Tellurium – UI based module testing framework Badboy – Record/Playback, Load Testing
OWASP – The Open Web Application Security Project www.OWASP.org – Founded in 2001 http://www.owasp.org/index.php/Bangalore - Bangalore Chapter Development Guide Testing Guide Open Source Tools
OWASP Body of Knowledge Core Application Security Knowledge Base Acquiring and Building Secure Applications Verifying Application Security Managing Application Security Application Security Tools AppSec Education and CBT Research to Secure New Technologies Principles Threat Agents, Attacks, Vulnerabilities, Impacts, and Countermeasures OWASP Foundation 501c3 OWASP Community Platform (wiki, forums, mailing lists) Projects Chapters AppSec Conferences Guide to Building Secure Web Applications and Web Services Guide to Application Security Testing and Guide to Application Security Code Review Tools for Scanning, Testing, Simulating, and Reporting Web Application Security Issues Web Based Learning Environment and Guide for Learning Application Security Guidance and Tools for Measuring and Managing Application Security Research Projects to Figure Out How to Secure the Use of New Technologies (like Ajax)
Thank You

More Related Content

PDF
АНТОН МУЖАЙЛО «Test Team Development and Management Techniques»
QADay
 
PPTX
Agile and Secure Development
Nazar Tymoshyk, CEH, Ph.D.
 
PDF
АННА ТИМОФІЄВА & СЕРГІЙ МАЛИНОВСЬКИЙ «Tools and Tips of video connection test...
QADay
 
PDF
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
DOCX
Vipin_Pandey
Vipin Pandey
 
PPTX
Unit testing : what are you missing for security
Suman Sourav
 
PPTX
Top 10 static code analysis tool
scmGalaxy Inc
 
PPTX
Computer software specialists wikki verma
Livingston Technology Solution
 
АНТОН МУЖАЙЛО «Test Team Development and Management Techniques»
QADay
 
Agile and Secure Development
Nazar Tymoshyk, CEH, Ph.D.
 
АННА ТИМОФІЄВА & СЕРГІЙ МАЛИНОВСЬКИЙ «Tools and Tips of video connection test...
QADay
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
Cigital
 
Vipin_Pandey
Vipin Pandey
 
Unit testing : what are you missing for security
Suman Sourav
 
Top 10 static code analysis tool
scmGalaxy Inc
 
Computer software specialists wikki verma
Livingston Technology Solution
 

What's hot (19)

PDF
Test Driven Development
ZendCon
 
PPTX
Code Review tool for personal effectiveness and waste analysis
Mikalai Alimenkou
 
PPTX
Doing Security Testing in Agile with ease
Karundeep Gill
 
PDF
Top 50 Software Testing Interview Questions & Answers | Edureka
Edureka!
 
PPTX
SonarQube: Continuous Code Inspection
Michael Jesse
 
PPTX
How To Learn Programming For Beginners | How To Start Coding | Learn Programm...
Simplilearn
 
PDF
LF_APIStrat17_Bulletproofing Your API's
LF_APIStrat
 
DOC
Resume_sri
SRI RAM
 
PPTX
Static Application Security Testing Strategies for Automation and Continuous ...
Kevin Fealey
 
PPTX
DevSecOps: Securing Applications with DevOps
Wouter de Kort
 
PPTX
Code Review
Mikalai Alimenkou
 
PDF
Resume
saigandham1
 
PPTX
DevSecOps - It can change your life (cycle)
Qualitest
 
PDF
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Abdessamad TEMMAR
 
PDF
Code Review for iOS
KLabCyscorpions-TechBlog
 
PDF
Code Review: How and When
Paul Gower
 
PPTX
Code Review Best Practices
Trisha Gee
 
DOCX
Code review guidelines
Lalit Kale
 
PPTX
Test automation-framework
Thessaloniki Software Testing and QA meetup
 
Test Driven Development
ZendCon
 
Code Review tool for personal effectiveness and waste analysis
Mikalai Alimenkou
 
Doing Security Testing in Agile with ease
Karundeep Gill
 
Top 50 Software Testing Interview Questions & Answers | Edureka
Edureka!
 
SonarQube: Continuous Code Inspection
Michael Jesse
 
How To Learn Programming For Beginners | How To Start Coding | Learn Programm...
Simplilearn
 
LF_APIStrat17_Bulletproofing Your API's
LF_APIStrat
 
Resume_sri
SRI RAM
 
Static Application Security Testing Strategies for Automation and Continuous ...
Kevin Fealey
 
DevSecOps: Securing Applications with DevOps
Wouter de Kort
 
Code Review
Mikalai Alimenkou
 
Resume
saigandham1
 
DevSecOps - It can change your life (cycle)
Qualitest
 
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Abdessamad TEMMAR
 
Code Review for iOS
KLabCyscorpions-TechBlog
 
Code Review: How and When
Paul Gower
 
Code Review Best Practices
Trisha Gee
 
Code review guidelines
Lalit Kale
 
Test automation-framework
Thessaloniki Software Testing and QA meetup
 
Ad

Similar to Cost effective web application testing (20)

PDF
Shaloo Verma
Shaloo Verma
 
PPTX
Cyber ppt
karthik menon
 
PPT
Stepin evening presented
Vijayan Reddy
 
DOCX
Software Testing Tools Training
QEdge Tech
 
PDF
VishalSinha_Resume_Ora
Vishal Sinha
 
PPTX
How to Add Test Automation to your Quality Assurance Toolbelt
Brett Tramposh
 
PDF
Ijetcas14 413
Iasir Journals
 
PPTX
Slides for Automation Testing or End to End testing
SwapnilNarayan
 
PPT
Agnitio: its static analysis, but not as we know it
Security BSides London
 
PPT
Testing Mozilla Web Properties
Stephen Donner
 
PDF
Creating a successful continuous testing environment by Eran Kinsbruner
QA or the Highway
 
PPTX
Selenium
Milind Hali
 
PPT
Best Practices In Load And Stress Testing Cmg Seminar[1]
Munirathnam Naidu
 
PPT
GNUCITIZEN Dwk Owasp Day September 2007
guest20ab09
 
PDF
Backend Developer Roadmap PDF By ScholarHat
Scholarhat
 
PDF
Choosing right-automation-tool
BabuDevanandam
 
PDF
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Tom Eston
 
PPTX
Dev{sec}ops
Steven Carlson
 
DOCX
Syllabus for Technical courses
Montek1Learning
 
PPTX
Software Quality
Joe Walling
 
Shaloo Verma
Shaloo Verma
 
Cyber ppt
karthik menon
 
Stepin evening presented
Vijayan Reddy
 
Software Testing Tools Training
QEdge Tech
 
VishalSinha_Resume_Ora
Vishal Sinha
 
How to Add Test Automation to your Quality Assurance Toolbelt
Brett Tramposh
 
Ijetcas14 413
Iasir Journals
 
Slides for Automation Testing or End to End testing
SwapnilNarayan
 
Agnitio: its static analysis, but not as we know it
Security BSides London
 
Testing Mozilla Web Properties
Stephen Donner
 
Creating a successful continuous testing environment by Eran Kinsbruner
QA or the Highway
 
Selenium
Milind Hali
 
Best Practices In Load And Stress Testing Cmg Seminar[1]
Munirathnam Naidu
 
GNUCITIZEN Dwk Owasp Day September 2007
guest20ab09
 
Backend Developer Roadmap PDF By ScholarHat
Scholarhat
 
Choosing right-automation-tool
BabuDevanandam
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Tom Eston
 
Dev{sec}ops
Steven Carlson
 
Syllabus for Technical courses
Montek1Learning
 
Software Quality
Joe Walling
 
Ad

Recently uploaded (20)

PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Encapsulation theory and applications.pdf
gurumoop
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
KodekX | Application Modernization Development
KodekX
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 

Cost effective web application testing

  • 1. Cost Effective Web Application Testing Hari Pudipeddi www.harinathpv.com harinath@dazasya.in
  • 2. What is Inside? What are Web Applications? History… Architecture of Web Applications Testing Web Applications Testing Techniques Test effort in SDLC Tips to speed up your Web App Free Web Testing Tools Introducing OWASP OWASP BoK Q&A
  • 3. What are Web Applications?
  • 4. History… First Generation No Sophistication Simple form submissions CGI (Common Gateway Interface) 1993 – Late 1990’s Encapsulating user data in environ variables Hotmail Filters Control access to web site, implement a new framework, or provide security Live within the execution context of web server Apache web server modules Scripting Scripting languages run code within the web server without being compiled
  • 5. History… Flaws of Scripting Not strongly typed and do not support good programming practices Generally optimized for particular types of data manipulation. Choosing the wrong scripting language hits on the performance of the application. It’s difficult (not impossible) to write multi-tier large scale applications Most of them do not support remote method or web service calls Web Application Frameworks J2EE ASP.NET
  • 6. Architecture of Web Application
  • 7. Testing Web Applications No Silver Bullet Think Strategically Align with the SDLC Test early and Test often Understand the end-user System configuration Repetitive requests Use the Right TOOLS Perform White Box Review Code as much as possible Develop appropriate metrics for your application
  • 8. Testing Techniques Manual Inspections & Reviews Threat Modeling Pro’s Con’s No supporting technology Can be used to a variety of situations Flexible Early in SDLC Promotes Teamwork Time Consuming Supporting material not available Required significant human thought and skill Pro’s Con’s Practical attackers view of the system Flexible Early in SDLC Relatively New Technique Good threat models do not mean good software 
  • 9. Testing Techniques Source Code Review Penetration Testing Pro’s Con’s Completeness and Effectiveness Accuracy Fast Requires highly skilled developers Can miss issues in libraries Cannot detect run-time errors Code analyzed can be difference from code used. Pro’s Con’s Can be fast and therefore cheaper Lower skill set than Code Review Tests code which is actually exposed Too late in SDLC Front impact testing only
  • 10. Test Effort in SDLC Test Effort in Test Technique
  • 11. Testing Web Applications – Tips to Speed Minimize HTTP Requests Design an Appropriate Content Delivery Network Expires/Cache – Control Header Gzip Components Stylesheets go up Scripts go down JavaScript and CSS go out Minimize JavaScript and CSS Reduce DNS lookup’s Avoid Re-directs Configure ETag’s Make Ajax Cacheable
  • 12. Free Web Testing Tools Jmeter - - Functionality and Performance QASL – Create automated web application tests HTTP Test Tool – Scriptable Test Tool for HTTP Protocol solutions Tellurium – UI based module testing framework Badboy – Record/Playback, Load Testing
  • 13. OWASP – The Open Web Application Security Project www.OWASP.org – Founded in 2001 http://www.owasp.org/index.php/Bangalore - Bangalore Chapter Development Guide Testing Guide Open Source Tools
  • 14. OWASP Body of Knowledge Core Application Security Knowledge Base Acquiring and Building Secure Applications Verifying Application Security Managing Application Security Application Security Tools AppSec Education and CBT Research to Secure New Technologies Principles Threat Agents, Attacks, Vulnerabilities, Impacts, and Countermeasures OWASP Foundation 501c3 OWASP Community Platform (wiki, forums, mailing lists) Projects Chapters AppSec Conferences Guide to Building Secure Web Applications and Web Services Guide to Application Security Testing and Guide to Application Security Code Review Tools for Scanning, Testing, Simulating, and Reporting Web Application Security Issues Web Based Learning Environment and Guide for Learning Application Security Guidance and Tools for Measuring and Managing Application Security Research Projects to Figure Out How to Secure the Use of New Technologies (like Ajax)