Cost effective web application testing
Upcoming SlideShare
Loading in...5

Cost effective web application testing



I made this presentation while speaking at an organization.

I made this presentation while speaking at an organization.



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Cost effective web application testing Cost effective web application testing Presentation Transcript

  • Cost Effective Web Application Testing Hari Pudipeddi
    • What is Inside?
    • What are Web Applications?
    • History…
    • Architecture of Web Applications
    • Testing Web Applications
    • Testing Techniques
    • Test effort in SDLC
    • Tips to speed up your Web App
    • Free Web Testing Tools
    • Introducing OWASP
    • OWASP BoK
    • Q&A
  • What are Web Applications?
    • History…
    • First Generation
      • No Sophistication
      • Simple form submissions
    • CGI (Common Gateway Interface)
      • 1993 – Late 1990’s
      • Encapsulating user data in environ variables
      • Hotmail
    • Filters
      • Control access to web site, implement a new framework, or provide security
      • Live within the execution context of web server
      • Apache web server modules
    • Scripting
      • Scripting languages run code within the web server without being compiled
    • History…
    • Flaws of Scripting
      • Not strongly typed and do not support good programming practices
      • Generally optimized for particular types of data manipulation. Choosing the wrong scripting language hits on the performance of the application.
      • It’s difficult (not impossible) to write multi-tier large scale applications
      • Most of them do not support remote method or web service calls
    • Web Application Frameworks
      • J2EE
      • ASP.NET
  • Architecture of Web Application
    • Testing Web Applications
    • No Silver Bullet
    • Think Strategically
    • Align with the SDLC
    • Test early and Test often
    • Understand the end-user
      • System configuration
      • Repetitive requests
    • Use the Right TOOLS
    • Perform White Box
    • Review Code as much as possible
    • Develop appropriate metrics for your application
    • Testing Techniques
    • Manual Inspections & Reviews
    • Threat Modeling
      • Pro’s
    • No supporting technology
    • Can be used to a variety of situations Flexible
    • Early in SDLC
    • Promotes Teamwork
    • Time Consuming
    • Supporting material not available
    • Required significant human thought and skill
      • Pro’s
    • Practical attackers view of the system
    • Flexible
    • Early in SDLC
    • Relatively New Technique
    • Good threat models do not mean good software 
    • Testing Techniques
    • Source Code Review
    • Penetration Testing
      • Pro’s
    • Completeness and Effectiveness
    • Accuracy
    • Fast
    • Requires highly skilled developers
    • Can miss issues in libraries
    • Cannot detect run-time errors
    • Code analyzed can be difference from code used.
      • Pro’s
    • Can be fast and therefore cheaper
    • Lower skill set than Code Review
    • Tests code which is actually exposed
    • Too late in SDLC
    • Front impact testing only
  • Test Effort in SDLC Test Effort in Test Technique
    • Testing Web Applications – Tips to Speed
    • Minimize HTTP Requests
    • Design an Appropriate Content Delivery Network
    • Expires/Cache – Control Header
    • Gzip Components
    • Stylesheets go up
    • Scripts go down
    • JavaScript and CSS go out
    • Minimize JavaScript and CSS
    • Reduce DNS lookup’s
    • Avoid Re-directs
    • Configure ETag’s
    • Make Ajax Cacheable
    • Free Web Testing Tools
    • Jmeter - - Functionality and Performance
    • QASL – Create automated web application tests
    • HTTP Test Tool – Scriptable Test Tool for HTTP Protocol solutions
    • Tellurium – UI based module testing framework
    • Badboy – Record/Playback, Load Testing
    • OWASP – The Open Web Application Security Project
    • – Founded in 2001
    • - Bangalore Chapter
    • Development Guide
    • Testing Guide
    • Open Source Tools
  • OWASP Body of Knowledge Core Application Security Knowledge Base Acquiring and Building Secure Applications Verifying Application Security Managing Application Security Application Security Tools AppSec Education and CBT Research to Secure New Technologies Principles Threat Agents, Attacks, Vulnerabilities, Impacts, and Countermeasures OWASP Foundation 501c3 OWASP Community Platform (wiki, forums, mailing lists) Projects Chapters AppSec Conferences Guide to Building Secure Web Applications and Web Services Guide to Application Security Testing and Guide to Application Security Code Review Tools for Scanning, Testing, Simulating, and Reporting Web Application Security Issues Web Based Learning Environment and Guide for Learning Application Security Guidance and Tools for Measuring and Managing Application Security Research Projects to Figure Out How to Secure the Use of New Technologies (like Ajax)
  • Thank You