The importance of Security Testing of Web Applications

With the increasing complexities of online business, we now communicate with multiple web applications,  in our daily life. We pay bills electronically, shop online for easy and comforting shopping experience, store payment credentials online for easy access and opt for internet banking to save time. Now, that almost all information is stored in a digital form, in one way or the other. Though it is the modern method of interacting, it has elevated the level of threat. Unauthorized access to these private information and confidential transactions can lead to catastrophic outcomes. This necessitates thorough security testing.

In order to carry out a full-scale security testing of a web application, it is important to know and understand how the online protocols work and communicate with each other. Additionally,  if the tester knows the scripting language of the application, it's an added advantage. 

Security Testing can be categorized into two types - Static Testing and Dynamic Testing. There two ways to carry out security testing - Manual and Automated.

Dynamic Testing tests on the running instance of the application. It sends requests to the application and reviews the response to find out any indication of potential security issue. As this type of testing is based on sending requests and analyzing responses, the conclusion is mainly based on guesswork. It is a kind of black box testing where the tester has no knowledge of the internal structure of the application. Hence, it is possible that some responses may not be an obvious security threat, and some deviations in responses may go unnoticed and unreported.

Dynamic Testing can be performed either manually or by using automatedtesting tools. Automated tools are very efficient in detecting possibilities of SQL Injection and Cross -Site - Scripting (XSS). Configuration problems with the server and operating system are also tested. Thus, they identify most of the technical vulnerabilities of the web application. However, they are limited in a way that they have no knowledge of the business logic of the code they are testing. Logical flaws are equally threatening as technical flaws.

Manual Testing are performed using Web proxy tools. Manual testing looks for data leakage, denial of service, unauthorized access and proper logical response to a request of predefined parameter values.

Static Analysis reviews the internal assets of the application such as the source code, configuration files and the business logic. It is a more thorough process of testing as it has access to the internal files of the application. It can also be referred as a white box testing approach. This reduces the possibilities of false reporting and missed indications. However, the static approach fails to detect the security issues based on technical configurations. Static analysis can also be performed manually or through automated tools.

 Automated static tests run tests against large source code bases consistently. They execute a set of rules, but without any understanding the context of the web application. Thus, static automated testing has the same limitation as per dynamic testing.

Conclusion

Hence, it can be said that efficient security assessment of web applications can be carried out by following a combination of dynamic or static and manual or automated techniques. It also depends on the resources available, access provided and the skills available. Different organizations have different rules and accordingly the best security testing strategy is put into practice.