Running Head: LAB 5 1
LAB 5 7
Lab 5
Gretchen Greene
Nathan Stewart, PhD
May 8, 2017
Executive Summary
As with any new technology, risks can arise in e-commerce that is not common to those traditional “brick-and-mortar” stores. A huge concern for e-commerce applications is credit/debit card use. Major damage can be done to an organization if the credit/debit card transactions are not secured in terms of financial fraud, loss of consumer confidence, identity theft, or legal regulations.
Online Goodies provides custom promotional gifts to corporate customers and is an Internet-based company. Some of their products include mugs, computer accessories, t-shirts, and office décor. The majority of its income comes from online credit card purchase. They give their repeat customers a discount based on their annual purchase amount.
This report is to create a test plan for Online Goodies based on the OWASP standards. The report includes an overview and rationale of all of the tests performed including a brute force test, an authentication test, privilege escalation test, code injection test, and web application fingerprint test.
Table of Contents
Executive Summary……………………………………………………………………………….2
Table of Contents………………………………………………………………………………….3
Types of Test Being Performed…………………………………………………………………...4
Test Plan for Online Goodies Site According to OWASP Standards……………………………..4
Rationale for Testing Used………………………………………………………………………..4
References…………………………………………………………………………………………7
Types of Tests Performed
The least expensive way to reduce costs and risks and improve software quality is to catch deficiencies as early as possible. To understand the guidelines for testing the OWASP Testing Guide was used. The tests used in this plan are: Usability Testing, Unit Testing, Interface Testing, Integration Testing, Functionality Testing, Performance Testing, Security Testing, Authentication and Authorization Testing, Privilege Escalation Testing, and Web Application Fingerprint Testing.
Test Plan for Online Goodies Site
The purpose of his test plan is to ensure the Goodies site meets all of its business, functional, and technical requirements. The test plan describes the schedule of test activities, test plan strategy, activities, resources, and scope. This document will identify the features on the site to be tested, the testing tasks, the user assigned to each task, each testing environment, techniques, explanation of options, and risks.
Before actually testing the site, you have to create test cases. This is the sample data which will be used to go through the system. These can be created as soon as the requirements are received. Additional test cases should be created to test other aspects of the system due to its complexity.
Explanation of Testing
Usability testing is one of the most important aspects of building a website. Users are not going to take the time to try to use a website that is poorly designed. We are used.
1. Running Head: LAB 5 1
LAB 5 7
Lab 5
Gretchen Greene
Nathan Stewart, PhD
May 8, 2017
Executive Summary
As with any new technology, risks can arise in e-commerce that
is not common to those traditional “brick-and-mortar” stores. A
huge concern for e-commerce applications is credit/debit card
use. Major damage can be done to an organization if the
credit/debit card transactions are not secured in terms of
financial fraud, loss of consumer confidence, identity theft, or
legal regulations.
Online Goodies provides custom promotional gifts to corporate
customers and is an Internet-based company. Some of their
products include mugs, computer accessories, t-shirts, and
office décor. The majority of its income comes from online
credit card purchase. They give their repeat customers a
discount based on their annual purchase amount.
2. This report is to create a test plan for Online Goodies based on
the OWASP standards. The report includes an overview and
rationale of all of the tests performed including a brute force
test, an authentication test, privilege escalation test, code
injection test, and web application fingerprint test.
Table of Contents
Executive
Summary………………………………………………………………
……………….2
Table of
Contents………………………………………………………………
………………….3
Types of Test Being
Performed……………………………………………………………
……...4
Test Plan for Online Goodies Site According to OWASP
Standards……………………………..4
Rationale for Testing
Used……………………………………………………………………
…..4
References……………………………………………………………
……………………………7
Types of Tests Performed
The least expensive way to reduce costs and risks and
improve software quality is to catch deficiencies as early as
possible. To understand the guidelines for testing the OWASP
Testing Guide was used. The tests used in this plan are:
Usability Testing, Unit Testing, Interface Testing, Integration
Testing, Functionality Testing, Performance Testing, Security
Testing, Authentication and Authorization Testing, Privilege
Escalation Testing, and Web Application Fingerprint Testing.
Test Plan for Online Goodies Site
The purpose of his test plan is to ensure the Goodies site
meets all of its business, functional, and technical requirements.
3. The test plan describes the schedule of test activities, test plan
strategy, activities, resources, and scope. This document will
identify the features on the site to be tested, the testing tasks,
the user assigned to each task, each testing environment,
techniques, explanation of options, and risks.
Before actually testing the site, you have to create test
cases. This is the sample data which will be used to go through
the system. These can be created as soon as the requirements
are received. Additional test cases should be created to test
other aspects of the system due to its complexity.
Explanation of Testing
Usability testing is one of the most important aspects of
building a website. Users are not going to take the time to try
to use a website that is poorly designed. We are used to being
able to adapt to a website quickly. Usability testing evaluates a
website by having the users test it. Users testing the site verify
controls and navigation is working properly.
White box testing is done by a full access user who has
access to architecture documents and coding. The user with full
access has the ability to do more in depth testing. This allows
vulnerabilities and risks to be discovered faster than when
testing using the black box method.
Unit testing tests the requirements. Each part of the
program is tested separately to make sure it’s working properly.
The earlier a bug is found the lower in cost it is to fix. Unit
testing is part of White box testing and is done before
integration testing.
Interface testing tests the communication between different
software systems. This testing checks to ensure end-users are
able to use the system without any problems. It also checks to
see that the system is user-friendly. Interface testing also
verifies the application server can handle a network failure to
the website should there be a problem.
Integration testing tests all units of the system together.
Testing as a system often causes bugs to occur. Integration
testing occurs after the unit testing has been completed and is
4. part of black box testing. It checks features but also checks
data flow between those modules and features.
Black box testing tests the system, design, and source
code. The user’s point of view helps expose discrepancies in
the specifications. The goal is to ensure the application works.
Integrations, system, and acceptance testing make up black box
testing.
Functionality testing tests business requirements of the
application. Functionality testing covers the functional part of
the application like integration of search and data manipulation.
Functional testing is done to make sure invalid negative test
results and erroneous inputs are generated. Features that are
checked are homepage, information, terms, privacy policy,
returns, and about pages.
Security testing checks the site for vulnerabilities and
unauthorized access. Online Goodies accepts credit card
payments making security a high priority. The security testing
will use the six basic concepts which are: confidentiality,
integrity, authentication, availability, authorization, and non-
repudiation. The website will need comprehensive security
testing to ensure everything is secure to protect customers’
information.
Web application fingerprinting tests for popular
vulnerabilities attacking applications and web servers. This
type of testing is important for penetration testing. The
fingerprint will show what information is available in a possible
attack.
Privilege escalation testing is used to ensure account
access controls are working and used properly. It exploits a bug
or design flaw to hack the system and get user access with
elevated access which should normally be protected from the
user. This is a form of penetration testing.
References
Chavhan, A. (2016). What is Walkthrough in Software
Testing? Retrieved from:
5. http://www.softwaretestingandistqb.com/what-is-walkthrough-
in-software-testing/
OWASP. (2013). Handling E-Commerce Payments. Retrieved
from:
https://www.owasp.org/index.php/Handling_E-
Commerce_Payments
OWASP. (2013). Improving Web Application Security:
Threats and Countermeasures.
Retrieved from:
http://msdn.microsoft.com/library/default.asp?url=/library/en-
us/dnnetsec/html/ThreatCounter.asp
E-commerce Special Interest Group PCI Security Standards
Council. (2013). Information
Supplement: PCI DSS E-commerce Guidelines. Retrieved
from:
https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_eCom
merce_Guidelines.pdf