June 13, 2016 at 12:58 pm #12382
Hi! What ways do you test the security of your web app? Do you use any third-party vendors and safety-check websites?
Share your thoughts and experiences 🙂June 15, 2016 at 10:46 pm #12434JesperParticipant@jesper-lindholt-ottosenJune 16, 2016 at 7:24 am #12435
Thanks @jesper-lindholt-ottosen, that’s the great Declan’s guide, but I hoped to hear from our forum users – how they used to care about security or what problems they face.
The knowledge is all round the internet, but the real cases and people opinions are proper to be heard here 😉June 20, 2016 at 9:56 am #12466
I’ve typically used independent specialists in the area. There are few organisations today that will have a dedicated ethical hacking/pen testing function and the area itself is very specialized and fast moving. I’ve read a number of books in the area and would be a keen technologist which certainly gives me an appreciation for the risks and impacts associated to under investment in the area.
I attended an excellent presentation from Declan O’Riordan at a Softtest event in Ireland entitled “The Million Dollar Bag of Hammers” which was very informative. Slides can be found here: http://softtest.ie/softtest-2015-conference-slides/June 20, 2016 at 10:13 am #12468
Thanks a lot @kenm! That’s great point – specialized and fast growing, and actually mostly qualified people to do that. I”m thinking if there is any at least low level which an average tester can secure in his/her work? I mean even the Bug Magnet Chrome addon (written by Gojko Adzic) has option of any SQL, JS, HTML injections to check the security and everyone can see those examples and use them.
Maybe there are more such a small tools like that Bug Magnet which helps to take care of security not engaging higher level specialists? What do you think, do you know some of such tools (not placed in code)?June 20, 2016 at 10:28 am #12471
I’m always very very apprehensive to mention specific tools. I think there is a huge danger, especially in security testing for a tester to leverage a tool and not have the fundamental knowledge behind WHY they are using the tool and WHAT type of things that they need to be concerned about. A very good learning reference would be for people to understand the terminology of types of attacks – what is cross site scripting & how does it happen, what is a SQL injection attack and how this it happen, etc. A good reference would be looking at the OWASP top 10 security threats (https://www.owasp.org/index.php/Top_10_2013-Top_10) to understand them, even at a mechanical high level.
Web based applications can go a very long way by validating all data that is both input via front end and can be presented from external sources to ensure said data is purely displayed rather than interpreted.
For example a recent fun one I picked up on was that HTML embedded into input in the DB was being interpreted by browser rather than just rendered. Relatively easy find… just popped in the HTML open comment tag into a string in the DB and loaded the page that would render that data. (We’ll find out if this website handles it in a moment 😉 ). Basically when the page displayed everything rendered fine up until the open comment tag then the rest of the page afterwards was blank…. tag in question <!–
A little knowledge is certainly helpful but is absolutely NO substitute for specialized expertise in the area. Large scale hacks are near daily occurrences and organisations/countries are taking notice…. this is a curve that organisations need to be ahead of rather than waiting for the consequences of the organisation in the headlines and the fallout from such an event.August 7, 2016 at 3:33 pm #13301srinivasParticipant@srinivasskc
@kenm – 404 Error for slides. http://softtest.ie/softtest-2015-conference-slides/August 8, 2016 at 10:24 am #13305
Sorry @srinivasskc – I don’t have original slides or access to them. Declan O’Riordan delivered the presentation and it was excellent. Hope it helpsAugust 11, 2016 at 11:54 am #13366
Yeah, @srinivasskc we need to ask @declan-oriordan to let us to his Dropbox 😉 as Srinivas wrote, https://www.dropbox.com/s/kiczgq51pbdys40/Dublin.pptx?dl=0 throws 404.
But I’ve found some stuff from Declan’s talk: http://stephenjanaway.co.uk/stephenjanaway/conferences/live-from-softtest-the-1-million-bag-of-hammers/ by Testing in the Pub blog 🙂August 31, 2016 at 10:59 am #13502Manimala KumaranParticipant@manimala-kumaran
Security testing is a process intended to reveal flaws in the security mechanisms of an information system that protect data and maintain functionality as intended. Due to the logical limitations of security testing, passing security testing is not an indication that no flaws exist or that the system adequately satisfies the security requirements.
Software Testing Training in chennaiSeptember 6, 2016 at 10:35 pm #13566
So you suggest as if @manimala-kumaran that security testing never is without some sacrifice? 😉September 23, 2016 at 8:30 am #13742Nikita WarmaParticipant@nikita-warma
Testing web applications is an altogether a different art. It differs from standalone applications. Different aspects need to be considered while going ahead with testing these two types of applications or soft wares.November 27, 2016 at 1:42 am #14444
Definitely @nikita-warma – I also think that web and standalone have other security ranges and issues.
I was always fascinated about various types of software and security issues in them – cash machine has its software, Wii has its software, mobile app is a kind of software.. etc. 🙂
Do somebody have experience in such ‘other’ types of software?August 10, 2017 at 3:18 pm #17072CliodhnaParticipant@cliodhna
Perhaps you might be interested in an upcoming webinar that EuroSTAR Conferences are holding, titled ‘Application Security Flaws in the Internet of Things presented by Ken Munro.
Ken will explore and examine the reasons for the common sources of IoT security flaws that lie within the apps that are used to manage hardware security issues. Ken will also explain and offer advice that applies equally to IoT device manufacturers, app developers and anyone else in the IoT supply chain.
- You must be logged in to reply to this topic.