Cost effective web application testing

15
Cost Effective Web Cost Effective Web Application Testing Application Testing Hari Pudipeddi www.harinathpv.com [email protected]

description

I made this presentation while speaking at an organization.

Transcript of Cost effective web application testing

Page 1: Cost effective web application testing

Cost Effective Web Application Cost Effective Web Application TestingTesting

Hari Pudipeddiwww.harinathpv.com

[email protected]

Page 2: Cost effective web application testing

What is Inside? What are Web Applications? History… Architecture of Web Applications Testing Web Applications Testing Techniques Test effort in SDLC Tips to speed up your Web App Free Web Testing Tools Introducing OWASP OWASP BoK Q&A

Page 3: Cost effective web application testing

What are Web Applications?

Page 4: Cost effective web application testing

History…• First Generation

• No Sophistication

• Simple form submissions

• CGI (Common Gateway Interface)• 1993 – Late 1990’s

• Encapsulating user data in environ variables

• Hotmail

• Filters• Control access to web site, implement a new framework, or provide security

• Live within the execution context of web server

• Apache web server modules

• Scripting• Scripting languages run code within the web server without being compiled

Page 5: Cost effective web application testing

History…• Flaws of Scripting

• Not strongly typed and do not support good programming practices

• Generally optimized for particular types of data manipulation. Choosing the wrong scripting language hits on the performance of the application.

• It’s difficult (not impossible) to write multi-tier large scale applications

• Most of them do not support remote method or web service calls

• Web Application Frameworks• J2EE

• ASP.NET

Page 6: Cost effective web application testing

Architecture of Web Application

Page 7: Cost effective web application testing

Testing Web Applications

• No Silver Bullet• Think Strategically • Align with the SDLC • Test early and Test often • Understand the end-user

• System configuration• Repetitive requests

• Use the Right TOOLS• Perform White Box • Review Code as much as possible• Develop appropriate metrics for your application

Page 8: Cost effective web application testing

Testing Techniques

• Manual Inspections & Reviews

• • Threat Modeling

Pro’s Con’s•No supporting technology•Can be used to a variety of situations Flexible •Early in SDLC •Promotes Teamwork

•Time Consuming•Supporting material not available•Required significant human thought and skill

Pro’s Con’s• Practical attackers view of the system• Flexible • Early in SDLC

• Relatively New Technique• Good threat models do not mean good software

Page 9: Cost effective web application testing

Testing Techniques

• Source Code Review

• Penetration Testing

Pro’s Con’s• Completeness and Effectiveness• Accuracy • Fast

• Requires highly skilled developers• Can miss issues in libraries• Cannot detect run-time errors • Code analyzed can be difference from code used.

Pro’s Con’s• Can be fast and therefore cheaper• Lower skill set than Code Review• Tests code which is actually exposed

• Too late in SDLC• Front impact testing only

Page 10: Cost effective web application testing

Test Effort in SDLC

Test Effort in Test Technique

Page 11: Cost effective web application testing

Testing Web Applications – Tips to Speed

• Minimize HTTP Requests• Design an Appropriate Content Delivery Network• Expires/Cache – Control Header• Gzip Components• Stylesheets go up• Scripts go down• JavaScript and CSS go out• Minimize JavaScript and CSS• Reduce DNS lookup’s• Avoid Re-directs• Configure ETag’s • Make Ajax Cacheable

Page 12: Cost effective web application testing

Free Web Testing Tools

Jmeter - - Functionality and Performance

QASL – Create automated web application tests

HTTP Test Tool – Scriptable Test Tool for HTTP Protocol solutions

Tellurium – UI based module testing framework

Badboy – Record/Playback, Load Testing

Page 13: Cost effective web application testing

OWASP – The Open Web Application Security Project

www.OWASP.org – Founded in 2001

http://www.owasp.org/index.php/Bangalore - Bangalore Chapter

Development Guide

Testing Guide

Open Source Tools

Page 14: Cost effective web application testing

OWASP Body of KnowledgeOWASP Body of Knowledge

Core Application Security

Knowledge Base

Acquiring andBuildingSecure

Applications

VerifyingApplication

Security

ManagingApplication

Security

ApplicationSecurity

Tools

AppSecEducation and

CBT

Research toSecure NewTechnologies Principles

Threat Agents, Attacks,

Vulnerabilities, Impacts, and

Countermeasures

PrinciplesThreat Agents,

Attacks, Vulnerabilities, Impacts, and

CountermeasuresOWASP Foundation 501c3

OWASP Community Platform(wiki, forums, mailing lists)

Pro

ject

s

Ch

ap

ters

Ap

pS

ec

Co

nfe

ren

ces

Guide to Building Secure Web

Applications and Web Services

Guide to Building Secure Web

Applications and Web Services

Guide to Application Security Testing and Guide to Application

Security Code Review

Guide to Application Security Testing and Guide to Application

Security Code Review

Tools for Scanning, Testing,

Simulating, and Reporting Web

Application Security Issues

Tools for Scanning, Testing,

Simulating, and Reporting Web

Application Security Issues

Web Based Learning

Environment and Guide for Learning

Application Security

Web Based Learning

Environment and Guide for Learning

Application Security

Guidance and Tools for Measuring and

Managing Application

Security

Guidance and Tools for Measuring and

Managing Application

Security

Research Projects to Figure Out How to Secure the Use

of New Technologies (like

Ajax)

Research Projects to Figure Out How to Secure the Use

of New Technologies (like

Ajax)

Page 15: Cost effective web application testing

Thank You