Quality Testing

Quality is delighting customers

Hi All,

As part of our Security Testing, I need Testing approach on below Security concepts and is any tools (Freeware or licensed) are available for same. Please help me.

  • CSRF Issues (Cross-Site Request Forgery)
  • Information leakage
  • Missing secure attribute in SSL cookies
  • Insecure Http response headers
  • Weak web Transport layer security
  • Insecure Session Management

Regards,

Ganesh Jayam

Views: 137

Reply to This

Replies to This Discussion

The world is becoming smarter every day with software and technology. There is a greater demand for smart applications, especially in the banking and retail sector. The growing dependence on these applications has led to significant security problems. While most companies focus on launching applications in a short time to keep up with the competition, security considerations are often overlooked. So professional quality assurance services should be hired to validate the application.

The pace of digital transformation has been breathtaking, creating non-stop demand for rapid business innovation. This means software applications are being developed and released faster than ever before using agile, rapidly iterative methods. No longer written from scratch, today’s mobile app or embedded device software is instead “assembled” from interconnected APIs, open source components, and cloud delivery methods such as containers and microservices.

Meanwhile, new hacks and attacks are launched every day that exploit hidden weaknesses in new software. This means new vulnerabilities are being exposed and exploited faster, at a pace that many organizations
simply cannot match. The practice of application security is therefore required to reduce overall business risk. Yet many organizations lack the tools, talent, and expertise required to succeed.


The software sits at the center of the digital business. For many organizations, their applications simply ARE the business. Websites and applications drive great digital experiences, but only secure applications can deliver them safely. In industry after industry, organizations rely on hundreds if not thousands of applications – scaling the job of application security exponentially.

The pace of digital transformation has been breathtaking, creating non-stop demand for rapid business innovation. This means software applications are being developed and released faster than ever before using agile, rapidly iterative methods. No longer written from scratch, today’s mobile app or embedded device software is instead “assembled” from interconnected APIs, open source components, and cloud delivery methods such as containers and microservices.

Security testing techniques look for vulnerabilities in applications. These vulnerabilities could exploit applications. Ideally, security tests are implemented throughout the software development life cycle (SDLC) to help resolve vulnerabilities in a timely and comprehensive manner.

Vulnerability analysis is usually the process of looking for vulnerabilities in an app. Although this may be done manually, automated scanners are usually used to identify the main vulnerabilities. Static and dynamic analysis are types of vulnerability analysis.

Static Vulnerability Analysis

During static analysis, the application's source code is analyzed. In most cases, a hybrid automatic/manual approach is used.

Dynamic Vulnerability Analysis

The focus of dynamic analysis (also called DAST, or Dynamic Application Security Testing) is the testing and evaluation of apps via their real-time execution.

Penetration Testing
It is one of the popular approaches to validate the security testing out web applications.

Preparation - defining the scope of security testing, including identifying applicable security controls, the organization's testing goals, and sensitive data

Intelligence Gathering - analyzing the environmental and architectural context of the application to gain a general contextual understanding.

Mapping the Application - based on information from the previous phases; may be complemented by automated scanning and manually exploring the application.

Exploitation - in this phase, the security tester tries to penetrate the application by exploiting the vulnerabilities identified during the previous phase.

Reporting - in this phase, which is essential to the client, the security tester reports the vulnerabilities he or she has been able to exploit.

There are various tools available for scanning the web application for vulnerabilities. Few of them are listed below.

1. Arachni
2. Zed Attack Proxy (ZAP)
3. Iron Wasp
4. SQLMap


RSS

TTWT Magazine


Advertisement

Advertisement

Advertisement

Advertisement

© 2019   Created by Quality Testing.   Powered by

Badges  |  Report an Issue  |  Terms of Service