Cost Effective Web Application Testing

Cost Effective Web Application Testing Hari Pudipeddi www.harinathpv.com harinath@dazasya.in

What is Inside?
What are Web Applications?
History…
Architecture of Web Applications
Testing Web Applications
Testing Techniques
Test effort in SDLC
Tips to speed up your Web App
Free Web Testing Tools
Introducing OWASP
OWASP BoK
Q&A

What are Web Applications?

History…
First Generation
No Sophistication
Simple form submissions
CGI (Common Gateway Interface)
1993 – Late 1990’s
Encapsulating user data in environ variables
Hotmail
Filters
Control access to web site, implement a new framework, or provide security
Live within the execution context of web server
Apache web server modules
Scripting
Scripting languages run code within the web server without being compiled

History…
Flaws of Scripting
Not strongly typed and do not support good programming practices
Generally optimized for particular types of data manipulation. Choosing the wrong scripting language hits on the performance of the application.
It’s difficult (not impossible) to write multi-tier large scale applications
Most of them do not support remote method or web service calls
Web Application Frameworks
J2EE
ASP.NET

Architecture of Web Application

Testing Web Applications
No Silver Bullet
Think Strategically
Align with the SDLC
Test early and Test often
Understand the end-user
System configuration
Repetitive requests
Use the Right TOOLS
Perform White Box
Review Code as much as possible
Develop appropriate metrics for your application

Testing Techniques
Manual Inspections & Reviews
Threat Modeling
Pro’s
Con’s
No supporting technology
Can be used to a variety of situations Flexible
Early in SDLC
Promotes Teamwork
Time Consuming
Supporting material not available
Required significant human thought and skill
Pro’s
Con’s
Practical attackers view of the system
Flexible
Early in SDLC
Relatively New Technique
Good threat models do not mean good software 

Testing Techniques
Source Code Review
Penetration Testing
Pro’s
Con’s
Completeness and Effectiveness
Accuracy
Fast
Requires highly skilled developers
Can miss issues in libraries
Cannot detect run-time errors
Code analyzed can be difference from code used.
Pro’s
Con’s
Can be fast and therefore cheaper
Lower skill set than Code Review
Tests code which is actually exposed
Too late in SDLC
Front impact testing only

Test Effort in SDLC Test Effort in Test Technique

Testing Web Applications – Tips to Speed
Minimize HTTP Requests
Design an Appropriate Content Delivery Network
Expires/Cache – Control Header
Gzip Components
Stylesheets go up
Scripts go down
JavaScript and CSS go out
Minimize JavaScript and CSS
Reduce DNS lookup’s
Avoid Re-directs
Configure ETag’s
Make Ajax Cacheable

Free Web Testing Tools
Jmeter - - Functionality and Performance
QASL – Create automated web application tests
HTTP Test Tool – Scriptable Test Tool for HTTP Protocol solutions
Tellurium – UI based module testing framework
Badboy – Record/Playback, Load Testing

OWASP – The Open Web Application Security Project
www.OWASP.org – Founded in 2001
http://www.owasp.org/index.php/Bangalore - Bangalore Chapter
Development Guide
Testing Guide
Open Source Tools

OWASP Body of Knowledge Core Application Security Knowledge Base Acquiring and Building Secure Applications Verifying Application Security Managing Application Security Application Security Tools AppSec Education and CBT Research to Secure New Technologies Principles Threat Agents, Attacks, Vulnerabilities, Impacts, and Countermeasures OWASP Foundation 501c3 OWASP Community Platform (wiki, forums, mailing lists) Projects Chapters AppSec Conferences Guide to Building Secure Web Applications and Web Services Guide to Application Security Testing and Guide to Application Security Code Review Tools for Scanning, Testing, Simulating, and Reporting Web Application Security Issues Web Based Learning Environment and Guide for Learning Application Security Guidance and Tools for Measuring and Managing Application Security Research Projects to Figure Out How to Secure the Use of New Technologies (like Ajax)

Thank You

http://www.harinathpv.com	759
http://www.google.com	2
http://feeds.feedburner.com	2
http://storify.com	1
http://cache.baidu.com	1

Cost Effective Web Application Testing

by Hari Pudipeddi on Jun 28, 2010

Accessibility

Categories

Tags

Upload Details

Usage Rights

5 Embeds 765

Statistics

Cost Effective Web Application Testing — Presentation Transcript