Cost effective web application testing
Download as PPT, PDF0 likes417 views
This document provides an overview of web application testing, including: - A brief history of web applications and how they have evolved from simple forms to complex multi-tier frameworks. - The main techniques for testing web applications, such as manual testing, threat modeling, source code review, and penetration testing. - Where in the software development lifecycle different test techniques should be applied. - Tips for optimizing web applications to improve performance and speed up testing. - An introduction to free web testing tools and the Open Web Application Security Project (OWASP), an organization dedicated to improving web application security.
Cost effective web application testing
- 1. Cost Effective Web Application Testing Hari Pudipeddi www.harinathpv.com harinath@dazasya.in
- 2. What is Inside? What are Web Applications? History… Architecture of Web Applications Testing Web Applications Testing Techniques Test effort in SDLC Tips to speed up your Web App Free Web Testing Tools Introducing OWASP OWASP BoK Q&A
- 3. What are Web Applications?
- 4. History… First Generation No Sophistication Simple form submissions CGI (Common Gateway Interface) 1993 – Late 1990’s Encapsulating user data in environ variables Hotmail Filters Control access to web site, implement a new framework, or provide security Live within the execution context of web server Apache web server modules Scripting Scripting languages run code within the web server without being compiled
- 5. History… Flaws of Scripting Not strongly typed and do not support good programming practices Generally optimized for particular types of data manipulation. Choosing the wrong scripting language hits on the performance of the application. It’s difficult (not impossible) to write multi-tier large scale applications Most of them do not support remote method or web service calls Web Application Frameworks J2EE ASP.NET
- 6. Architecture of Web Application
- 7. Testing Web Applications No Silver Bullet Think Strategically Align with the SDLC Test early and Test often Understand the end-user System configuration Repetitive requests Use the Right TOOLS Perform White Box Review Code as much as possible Develop appropriate metrics for your application
- 8. Testing Techniques Manual Inspections & Reviews Threat Modeling Pro’s Con’s No supporting technology Can be used to a variety of situations Flexible Early in SDLC Promotes Teamwork Time Consuming Supporting material not available Required significant human thought and skill Pro’s Con’s Practical attackers view of the system Flexible Early in SDLC Relatively New Technique Good threat models do not mean good software
- 9. Testing Techniques Source Code Review Penetration Testing Pro’s Con’s Completeness and Effectiveness Accuracy Fast Requires highly skilled developers Can miss issues in libraries Cannot detect run-time errors Code analyzed can be difference from code used. Pro’s Con’s Can be fast and therefore cheaper Lower skill set than Code Review Tests code which is actually exposed Too late in SDLC Front impact testing only
- 10. Test Effort in SDLC Test Effort in Test Technique
- 11. Testing Web Applications – Tips to Speed Minimize HTTP Requests Design an Appropriate Content Delivery Network Expires/Cache – Control Header Gzip Components Stylesheets go up Scripts go down JavaScript and CSS go out Minimize JavaScript and CSS Reduce DNS lookup’s Avoid Re-directs Configure ETag’s Make Ajax Cacheable
- 12. Free Web Testing Tools Jmeter - - Functionality and Performance QASL – Create automated web application tests HTTP Test Tool – Scriptable Test Tool for HTTP Protocol solutions Tellurium – UI based module testing framework Badboy – Record/Playback, Load Testing
- 13. OWASP – The Open Web Application Security Project www.OWASP.org – Founded in 2001 http://www.owasp.org/index.php/Bangalore - Bangalore Chapter Development Guide Testing Guide Open Source Tools
- 14. OWASP Body of Knowledge Core Application Security Knowledge Base Acquiring and Building Secure Applications Verifying Application Security Managing Application Security Application Security Tools AppSec Education and CBT Research to Secure New Technologies Principles Threat Agents, Attacks, Vulnerabilities, Impacts, and Countermeasures OWASP Foundation 501c3 OWASP Community Platform (wiki, forums, mailing lists) Projects Chapters AppSec Conferences Guide to Building Secure Web Applications and Web Services Guide to Application Security Testing and Guide to Application Security Code Review Tools for Scanning, Testing, Simulating, and Reporting Web Application Security Issues Web Based Learning Environment and Guide for Learning Application Security Guidance and Tools for Measuring and Managing Application Security Research Projects to Figure Out How to Secure the Use of New Technologies (like Ajax)
- 15. Thank You