Web testing and reporting best practices
From Search Security
As Web application attacks become more common, the need for tools to check Web sites for vulnerabilities grows. The days of picking at Web sites by hand and checking for common hacks are gone. Instead automated testing tools generate reports for management to review and developers to use as guidelines to fix security bugs.
Web scanning has become part of the testing routine used for catching other bugs in the software development life cycle. And since Web security has become a part of industry requirements like the Payment Card Industry Data Security Standard (PCI DSS), scanning for vulnerabilities is no longer a luxury; it’s now a compliance mandate.
If a scan is for compliance, it can focus on just regulatory requirements. Section 6.5 of PCI, for example, requires testing for the top ten vulnerabilities listed by the Open Web Application Security Project (OWASP). This is an excellent starting point and covers the vast majority of Web hacking attacks.
But if tests are a routine part of a company’s software development life cycle, it’s a good idea to run a broader scan. Ideally, corporate scanning should be wrapped around a company’s IT security policy. Some policies may mandate two-factor authentication for high-risk transactional sites or password policies not listed in OWASP that should also be tested.
Remember, compliance pleases auditors and regulators, but there’s more to security than checking off lists.