London software testing news UK

Web testing and reporting best practices

Posted in Acceptance testing by testing in London on March 14, 2008

From Search Security

As Web application attacks become more common, the need for tools to check Web sites for vulnerabilities grows. The days of picking at Web sites by hand and checking for common hacks are gone. Instead automated testing tools generate reports for management to review and developers to use as guidelines to fix security bugs.

Web scanning has become part of the testing routine used for catching other bugs in the software development life cycle. And since Web security has become a part of industry requirements like the Payment Card Industry Data Security Standard (PCI DSS), scanning for vulnerabilities is no longer a luxury; it’s now a compliance mandate.

If a scan is for compliance, it can focus on just regulatory requirements. Section 6.5 of PCI, for example, requires testing for the top ten vulnerabilities listed by the Open Web Application Security Project (OWASP). This is an excellent starting point and covers the vast majority of Web hacking attacks.

But if tests are a routine part of a company’s software development life cycle, it’s a good idea to run a broader scan. Ideally, corporate scanning should be wrapped around a company’s IT security policy. Some policies may mandate two-factor authentication for high-risk transactional sites or password policies not listed in OWASP that should also be tested.

Remember, compliance pleases auditors and regulators, but there’s more to security than checking off lists.

Web performance testing

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: