- This topic has 13 replies, 7 voices, and was last updated 6 years, 8 months ago by
.
-
Posts
-
Hi! What ways do you test the security of your web app? Do you use any third-party vendors and safety-check websites?
Share your thoughts and experiences 🙂Thanks @jesper-lindholt-ottosen, that’s the great Declan’s guide, but I hoped to hear from our forum users – how they used to care about security or what problems they face.
The knowledge is all round the internet, but the real cases and people opinions are proper to be heard here 😉Hey Aleksandra,
I’ve typically used independent specialists in the area. There are few organisations today that will have a dedicated ethical hacking/pen testing function and the area itself is very specialized and fast moving. I’ve read a number of books in the area and would be a keen technologist which certainly gives me an appreciation for the risks and impacts associated to under investment in the area.
I attended an excellent presentation from Declan O’Riordan at a Softtest event in Ireland entitled “The Million Dollar Bag of Hammers” which was very informative. Slides can be found here: http://softtest.ie/softtest-2015-conference-slides/
Thanks a lot @kenm! That’s great point – specialized and fast growing, and actually mostly qualified people to do that. I”m thinking if there is any at least low level which an average tester can secure in his/her work? I mean even the Bug Magnet Chrome addon (written by Gojko Adzic) has option of any SQL, JS, HTML injections to check the security and everyone can see those examples and use them.
Maybe there are more such a small tools like that Bug Magnet which helps to take care of security not engaging higher level specialists? What do you think, do you know some of such tools (not placed in code)?Hey @aleksandra-kornecka,
I’m always very very apprehensive to mention specific tools. I think there is a huge danger, especially in security testing for a tester to leverage a tool and not have the fundamental knowledge behind WHY they are using the tool and WHAT type of things that they need to be concerned about. A very good learning reference would be for people to understand the terminology of types of attacks – what is cross site scripting & how does it happen, what is a SQL injection attack and how this it happen, etc. A good reference would be looking at the OWASP top 10 security threats (https://www.owasp.org/index.php/Top_10_2013-Top_10) to understand them, even at a mechanical high level.
Web based applications can go a very long way by validating all data that is both input via front end and can be presented from external sources to ensure said data is purely displayed rather than interpreted.
For example a recent fun one I picked up on was that HTML embedded into input in the DB was being interpreted by browser rather than just rendered. Relatively easy find… just popped in the HTML open comment tag into a string in the DB and loaded the page that would render that data. (We’ll find out if this website handles it in a moment 😉 ). Basically when the page displayed everything rendered fine up until the open comment tag then the rest of the page afterwards was blank…. tag in question <!–
A little knowledge is certainly helpful but is absolutely NO substitute for specialized expertise in the area. Large scale hacks are near daily occurrences and organisations/countries are taking notice…. this is a curve that organisations need to be ahead of rather than waiting for the consequences of the organisation in the headlines and the fallout from such an event.
@kenm – 404 Error for slides. http://softtest.ie/softtest-2015-conference-slides/
Sorry @srinivasskc – I don’t have original slides or access to them. Declan O’Riordan delivered the presentation and it was excellent. Hope it helps
Yeah, @srinivasskc we need to ask @declan-oriordan to let us to his Dropbox 😉 as Srinivas wrote, https://www.dropbox.com/s/kiczgq51pbdys40/Dublin.pptx?dl=0 throws 404.
But I’ve found some stuff from Declan’s talk: http://stephenjanaway.co.uk/stephenjanaway/conferences/live-from-softtest-the-1-million-bag-of-hammers/ by Testing in the Pub blog 🙂Hiii…
Security testing is a process intended to reveal flaws in the security mechanisms of an information system that protect data and maintain functionality as intended. Due to the logical limitations of security testing, passing security testing is not an indication that no flaws exist or that the system adequately satisfies the security requirements.
Software Testing Training in chennaiSo you suggest as if @manimala-kumaran that security testing never is without some sacrifice? 😉
Testing web applications is an altogether a different art. It differs from standalone applications. Different aspects need to be considered while going ahead with testing these two types of applications or soft wares.
Definitely @nikita-warma – I also think that web and standalone have other security ranges and issues.
I was always fascinated about various types of software and security issues in them – cash machine has its software, Wii has its software, mobile app is a kind of software.. etc. 🙂
Do somebody have experience in such ‘other’ types of software?
Perhaps you might be interested in an upcoming webinar that EuroSTAR Conferences are holding, titled ‘Application Security Flaws in the Internet of Things presented by Ken Munro.
Ken will explore and examine the reasons for the common sources of IoT security flaws that lie within the apps that are used to manage hardware security issues. Ken will also explain and offer advice that applies equally to IoT device manufacturers, app developers and anyone else in the IoT supply chain.
- You must be logged in to reply to this topic.