cost effective web application testing
DESCRIPTION
I made this presentation while speaking at an organization.TRANSCRIPT
![Page 1: Cost effective web application testing](https://reader035.vdocument.in/reader035/viewer/2022070317/556413c3d8b42a0d0c8b544d/html5/thumbnails/1.jpg)
Cost Effective Web Application Cost Effective Web Application TestingTesting
Hari Pudipeddiwww.harinathpv.com
![Page 2: Cost effective web application testing](https://reader035.vdocument.in/reader035/viewer/2022070317/556413c3d8b42a0d0c8b544d/html5/thumbnails/2.jpg)
What is Inside? What are Web Applications? History… Architecture of Web Applications Testing Web Applications Testing Techniques Test effort in SDLC Tips to speed up your Web App Free Web Testing Tools Introducing OWASP OWASP BoK Q&A
![Page 3: Cost effective web application testing](https://reader035.vdocument.in/reader035/viewer/2022070317/556413c3d8b42a0d0c8b544d/html5/thumbnails/3.jpg)
What are Web Applications?
![Page 4: Cost effective web application testing](https://reader035.vdocument.in/reader035/viewer/2022070317/556413c3d8b42a0d0c8b544d/html5/thumbnails/4.jpg)
History…• First Generation
• No Sophistication
• Simple form submissions
• CGI (Common Gateway Interface)• 1993 – Late 1990’s
• Encapsulating user data in environ variables
• Hotmail
• Filters• Control access to web site, implement a new framework, or provide security
• Live within the execution context of web server
• Apache web server modules
• Scripting• Scripting languages run code within the web server without being compiled
![Page 5: Cost effective web application testing](https://reader035.vdocument.in/reader035/viewer/2022070317/556413c3d8b42a0d0c8b544d/html5/thumbnails/5.jpg)
History…• Flaws of Scripting
• Not strongly typed and do not support good programming practices
• Generally optimized for particular types of data manipulation. Choosing the wrong scripting language hits on the performance of the application.
• It’s difficult (not impossible) to write multi-tier large scale applications
• Most of them do not support remote method or web service calls
• Web Application Frameworks• J2EE
• ASP.NET
![Page 6: Cost effective web application testing](https://reader035.vdocument.in/reader035/viewer/2022070317/556413c3d8b42a0d0c8b544d/html5/thumbnails/6.jpg)
Architecture of Web Application
![Page 7: Cost effective web application testing](https://reader035.vdocument.in/reader035/viewer/2022070317/556413c3d8b42a0d0c8b544d/html5/thumbnails/7.jpg)
Testing Web Applications
• No Silver Bullet• Think Strategically • Align with the SDLC • Test early and Test often • Understand the end-user
• System configuration• Repetitive requests
• Use the Right TOOLS• Perform White Box • Review Code as much as possible• Develop appropriate metrics for your application
![Page 8: Cost effective web application testing](https://reader035.vdocument.in/reader035/viewer/2022070317/556413c3d8b42a0d0c8b544d/html5/thumbnails/8.jpg)
Testing Techniques
• Manual Inspections & Reviews
• • Threat Modeling
Pro’s Con’s•No supporting technology•Can be used to a variety of situations Flexible •Early in SDLC •Promotes Teamwork
•Time Consuming•Supporting material not available•Required significant human thought and skill
Pro’s Con’s• Practical attackers view of the system• Flexible • Early in SDLC
• Relatively New Technique• Good threat models do not mean good software
![Page 9: Cost effective web application testing](https://reader035.vdocument.in/reader035/viewer/2022070317/556413c3d8b42a0d0c8b544d/html5/thumbnails/9.jpg)
Testing Techniques
• Source Code Review
• Penetration Testing
Pro’s Con’s• Completeness and Effectiveness• Accuracy • Fast
• Requires highly skilled developers• Can miss issues in libraries• Cannot detect run-time errors • Code analyzed can be difference from code used.
Pro’s Con’s• Can be fast and therefore cheaper• Lower skill set than Code Review• Tests code which is actually exposed
• Too late in SDLC• Front impact testing only
![Page 10: Cost effective web application testing](https://reader035.vdocument.in/reader035/viewer/2022070317/556413c3d8b42a0d0c8b544d/html5/thumbnails/10.jpg)
Test Effort in SDLC
Test Effort in Test Technique
![Page 11: Cost effective web application testing](https://reader035.vdocument.in/reader035/viewer/2022070317/556413c3d8b42a0d0c8b544d/html5/thumbnails/11.jpg)
Testing Web Applications – Tips to Speed
• Minimize HTTP Requests• Design an Appropriate Content Delivery Network• Expires/Cache – Control Header• Gzip Components• Stylesheets go up• Scripts go down• JavaScript and CSS go out• Minimize JavaScript and CSS• Reduce DNS lookup’s• Avoid Re-directs• Configure ETag’s • Make Ajax Cacheable
![Page 12: Cost effective web application testing](https://reader035.vdocument.in/reader035/viewer/2022070317/556413c3d8b42a0d0c8b544d/html5/thumbnails/12.jpg)
Free Web Testing Tools
Jmeter - - Functionality and Performance
QASL – Create automated web application tests
HTTP Test Tool – Scriptable Test Tool for HTTP Protocol solutions
Tellurium – UI based module testing framework
Badboy – Record/Playback, Load Testing
![Page 13: Cost effective web application testing](https://reader035.vdocument.in/reader035/viewer/2022070317/556413c3d8b42a0d0c8b544d/html5/thumbnails/13.jpg)
OWASP – The Open Web Application Security Project
www.OWASP.org – Founded in 2001
http://www.owasp.org/index.php/Bangalore - Bangalore Chapter
Development Guide
Testing Guide
Open Source Tools
![Page 14: Cost effective web application testing](https://reader035.vdocument.in/reader035/viewer/2022070317/556413c3d8b42a0d0c8b544d/html5/thumbnails/14.jpg)
OWASP Body of KnowledgeOWASP Body of Knowledge
Core Application Security
Knowledge Base
Acquiring andBuildingSecure
Applications
VerifyingApplication
Security
ManagingApplication
Security
ApplicationSecurity
Tools
AppSecEducation and
CBT
Research toSecure NewTechnologies Principles
Threat Agents, Attacks,
Vulnerabilities, Impacts, and
Countermeasures
PrinciplesThreat Agents,
Attacks, Vulnerabilities, Impacts, and
CountermeasuresOWASP Foundation 501c3
OWASP Community Platform(wiki, forums, mailing lists)
Pro
ject
s
Ch
ap
ters
Ap
pS
ec
Co
nfe
ren
ces
Guide to Building Secure Web
Applications and Web Services
Guide to Building Secure Web
Applications and Web Services
Guide to Application Security Testing and Guide to Application
Security Code Review
Guide to Application Security Testing and Guide to Application
Security Code Review
Tools for Scanning, Testing,
Simulating, and Reporting Web
Application Security Issues
Tools for Scanning, Testing,
Simulating, and Reporting Web
Application Security Issues
Web Based Learning
Environment and Guide for Learning
Application Security
Web Based Learning
Environment and Guide for Learning
Application Security
Guidance and Tools for Measuring and
Managing Application
Security
Guidance and Tools for Measuring and
Managing Application
Security
Research Projects to Figure Out How to Secure the Use
of New Technologies (like
Ajax)
Research Projects to Figure Out How to Secure the Use
of New Technologies (like
Ajax)
![Page 15: Cost effective web application testing](https://reader035.vdocument.in/reader035/viewer/2022070317/556413c3d8b42a0d0c8b544d/html5/thumbnails/15.jpg)
Thank You