Cost Effective Web Application Testing

2,769 views
2,635 views

Published on

In this presentation, I revisited the basics and fundamentals of Cost Effective Testing.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,769
On SlideShare
0
From Embeds
0
Number of Embeds
1,242
Actions
Shares
0
Downloads
24
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Cost Effective Web Application Testing

  1. 1. Cost Effective Web Application Testing Hari Pudipeddi www.harinathpv.com harinath@dazasya.in
  2. 2. <ul><li>What is Inside? </li></ul><ul><li>What are Web Applications? </li></ul><ul><li>History… </li></ul><ul><li>Architecture of Web Applications </li></ul><ul><li>Testing Web Applications </li></ul><ul><li>Testing Techniques </li></ul><ul><li>Test effort in SDLC </li></ul><ul><li>Tips to speed up your Web App </li></ul><ul><li>Free Web Testing Tools </li></ul><ul><li>Introducing OWASP </li></ul><ul><li>OWASP BoK </li></ul><ul><li>Q&A </li></ul>
  3. 3. What are Web Applications?
  4. 4. <ul><li>History… </li></ul><ul><li>First Generation </li></ul><ul><ul><li>No Sophistication </li></ul></ul><ul><ul><li>Simple form submissions </li></ul></ul><ul><li>CGI (Common Gateway Interface) </li></ul><ul><ul><li>1993 – Late 1990’s </li></ul></ul><ul><ul><li>Encapsulating user data in environ variables </li></ul></ul><ul><ul><li>Hotmail </li></ul></ul><ul><li>Filters </li></ul><ul><ul><li>Control access to web site, implement a new framework, or provide security </li></ul></ul><ul><ul><li>Live within the execution context of web server </li></ul></ul><ul><ul><li>Apache web server modules </li></ul></ul><ul><li>Scripting </li></ul><ul><ul><li>Scripting languages run code within the web server without being compiled </li></ul></ul>
  5. 5. <ul><li>History… </li></ul><ul><li>Flaws of Scripting </li></ul><ul><ul><li>Not strongly typed and do not support good programming practices </li></ul></ul><ul><ul><li>Generally optimized for particular types of data manipulation. Choosing the wrong scripting language hits on the performance of the application. </li></ul></ul><ul><ul><li>It’s difficult (not impossible) to write multi-tier large scale applications </li></ul></ul><ul><ul><li>Most of them do not support remote method or web service calls </li></ul></ul><ul><li>Web Application Frameworks </li></ul><ul><ul><li>J2EE </li></ul></ul><ul><ul><li>ASP.NET </li></ul></ul>
  6. 6. Architecture of Web Application
  7. 7. <ul><li>Testing Web Applications </li></ul><ul><li>No Silver Bullet </li></ul><ul><li>Think Strategically </li></ul><ul><li>Align with the SDLC </li></ul><ul><li>Test early and Test often </li></ul><ul><li>Understand the end-user </li></ul><ul><ul><li>System configuration </li></ul></ul><ul><ul><li>Repetitive requests </li></ul></ul><ul><li>Use the Right TOOLS </li></ul><ul><li>Perform White Box </li></ul><ul><li>Review Code as much as possible </li></ul><ul><li>Develop appropriate metrics for your application </li></ul>
  8. 8. <ul><li>Testing Techniques </li></ul><ul><li>Manual Inspections & Reviews </li></ul><ul><li>Threat Modeling </li></ul><ul><ul><li>Pro’s </li></ul></ul>Con’s <ul><li>No supporting technology </li></ul><ul><li>Can be used to a variety of situations Flexible </li></ul><ul><li>Early in SDLC </li></ul><ul><li>Promotes Teamwork </li></ul><ul><li>Time Consuming </li></ul><ul><li>Supporting material not available </li></ul><ul><li>Required significant human thought and skill </li></ul><ul><ul><li>Pro’s </li></ul></ul>Con’s <ul><li>Practical attackers view of the system </li></ul><ul><li>Flexible </li></ul><ul><li>Early in SDLC </li></ul><ul><li>Relatively New Technique </li></ul><ul><li>Good threat models do not mean good software  </li></ul>
  9. 9. <ul><li>Testing Techniques </li></ul><ul><li>Source Code Review </li></ul><ul><li>Penetration Testing </li></ul><ul><ul><li>Pro’s </li></ul></ul>Con’s <ul><li>Completeness and Effectiveness </li></ul><ul><li>Accuracy </li></ul><ul><li>Fast </li></ul><ul><li>Requires highly skilled developers </li></ul><ul><li>Can miss issues in libraries </li></ul><ul><li>Cannot detect run-time errors </li></ul><ul><li>Code analyzed can be difference from code used. </li></ul><ul><ul><li>Pro’s </li></ul></ul>Con’s <ul><li>Can be fast and therefore cheaper </li></ul><ul><li>Lower skill set than Code Review </li></ul><ul><li>Tests code which is actually exposed </li></ul><ul><li>Too late in SDLC </li></ul><ul><li>Front impact testing only </li></ul>
  10. 10. Test Effort in SDLC Test Effort in Test Technique
  11. 11. <ul><li>Testing Web Applications – Tips to Speed </li></ul><ul><li>Minimize HTTP Requests </li></ul><ul><li>Design an Appropriate Content Delivery Network </li></ul><ul><li>Expires/Cache – Control Header </li></ul><ul><li>Gzip Components </li></ul><ul><li>Stylesheets go up </li></ul><ul><li>Scripts go down </li></ul><ul><li>JavaScript and CSS go out </li></ul><ul><li>Minimize JavaScript and CSS </li></ul><ul><li>Reduce DNS lookup’s </li></ul><ul><li>Avoid Re-directs </li></ul><ul><li>Configure ETag’s </li></ul><ul><li>Make Ajax Cacheable </li></ul>
  12. 12. <ul><li>Free Web Testing Tools </li></ul><ul><li>Jmeter - - Functionality and Performance </li></ul><ul><li>QASL – Create automated web application tests </li></ul><ul><li>HTTP Test Tool – Scriptable Test Tool for HTTP Protocol solutions </li></ul><ul><li>Tellurium – UI based module testing framework </li></ul><ul><li>Badboy – Record/Playback, Load Testing </li></ul>
  13. 13. <ul><li>OWASP – The Open Web Application Security Project </li></ul><ul><li>www.OWASP.org – Founded in 2001 </li></ul><ul><li>http://www.owasp.org/index.php/Bangalore - Bangalore Chapter </li></ul><ul><li>Development Guide </li></ul><ul><li>Testing Guide </li></ul><ul><li>Open Source Tools </li></ul>
  14. 14. OWASP Body of Knowledge Core Application Security Knowledge Base Acquiring and Building Secure Applications Verifying Application Security Managing Application Security Application Security Tools AppSec Education and CBT Research to Secure New Technologies Principles Threat Agents, Attacks, Vulnerabilities, Impacts, and Countermeasures OWASP Foundation 501c3 OWASP Community Platform (wiki, forums, mailing lists) Projects Chapters AppSec Conferences Guide to Building Secure Web Applications and Web Services Guide to Application Security Testing and Guide to Application Security Code Review Tools for Scanning, Testing, Simulating, and Reporting Web Application Security Issues Web Based Learning Environment and Guide for Learning Application Security Guidance and Tools for Measuring and Managing Application Security Research Projects to Figure Out How to Secure the Use of New Technologies (like Ajax)
  15. 15. Thank You

×