Web Application Testing

WEB APPLICATION TESTING: | FUNCTIONALITY | USER EXPERIENCE | COMPATIBILITY | PERFORMANCE | SECURITY
Web Application Testing

What is Web Application Testing

Web application testing is an essential requirement in the successful delivery of modern web based applications and websites.  Effective testing  can successfully address issues relating to its security, functionality, compatibility, usability and performance under stress.

What Web Application Testing Can T&VS Offer


Our extensive range of web application testing services can help to ensure that your web applications will work perfectly and will be easily accepted by the end-users. Our services include:

  • Functionality Testing

    The main goal of Functional testing is to make sure that all the functions within a web app are working smoothly without any technical glitches. If Functional testing is not done then all the links in web pages, database connection, forms used in the web pages for submitting or getting information from user and Cookie testing etc will remain untested and application may not work as per the customer expectation.

    • Verify the workflow of the system
    • Verify there is no dead page or invalid redirects
    • First check all the validations on each field
    • Wrong inputs to perform negative testing
    • Verify the data integrity

  • User Interface / Experience Testing  

    When it comes to making the application user-friendly and effective, its user interface and general user experience should comply with the standards defined.  If user testing is not done then menu controls, content checking and the overall consistency of the applications UI and user experience may stray from the original design requirements, resulting in a negative user experience.

    • UI of the components e.g. Menu
    • Content checking
    • UI consistency
    • Ease of use

  • Compatibility Testing  

    Compatibility testing of your web application is one of the most crucial things you should consider testing. It checks the web application for browser compatibility, operating system compatibility, mobile browsing and printing options and users may face compatibility issues if this not done.

    • Browser compatibility
    • Operating system compatibility
    • UI consistency
    • Compatible with devices, e.g. tablet, mobile, etc.

  • Performance Testing  

    Performance testing helps you to determine the performance of your web application under various scenarios. Performance testing usually involves stress testing, and load testing.

    • Website load testing
    • Website stress testing

  • Security & Penetration Testing  

    Application security is an important factor in any web application and the security testing process is intended to reveal flaws in the security mechanisms of an information system, protect data and maintain functionality as intended. Security testing includes:

    • Injection
    • Broken Authentication and Session Management
    • Cross-Site Scripting (XSS)
    • Insecure Direct Object References
    • Security Misconfiguration
    • Sensitive Data Exposure
    • Missing Function Level Access Control
    • Cross-Site Request Forgery (CSRF)
    • Using Components with Known Vulnerabilities
    • Invalidated Redirects and Forwards

    Penetration testing is a software attack on a computer system that looks for security weaknesses, potentially gaining access to the computer’s features and data. Effective penetration testing is a vital tool in the fight against attacks by mimicking malicious attacks, but providing you the feedback to help you defend against them. Our penetration testing services include:

    • Configuration and Deployment Management Testing
    • Identity Management Testing
    • Authentication Testing
    • Authorization Testing
    • Session Management Testing
    • Input Validation Testing
    • Error Handling
    • Cryptography
    • Business Logic Testing
    • Client Side Testing

Download Our FREE Guides

Our award winning ‘Application Security Testing‘ article from STAR EAST 2015 and ‘Sample PenTesting Report ‘ are jam-packed with tried and tested advice on how to manage application security and penetration testing.

  • What web application security testing is
  • Why it’s important
PREVIEW THE GUIDE
  • Who should be doing it
  • How it should be done
DOWNLOAD THE FULL GUIDE

Application Security: What Testers Can Do

Based on a Paper Presented at STAR EAST 2015 – Preview contains pages 1-5 of 15

Non-Functional

Adjective: (1) Not having any particular purpose or function. (2) Not operating or in working order.

Hmm, that definition seems to differ substantially from the accepted IT definitions of ‘non-functional’ which are best summarized as: ‘All the stuff that’s difficult to do or measure, and best left for someone else instead of me’. So long as we can pigeon-hole security as something outside the mainstream project activity it is easy to forget about it or transfer responsibility to outsiders.

pentest-download-image-1And yet. What if for one day we considered application security was something other than non-functional? Perhaps it’s extra-functional, or just plain functional? There’s enough evidence for us to see security breaches are currently a massive problem. Take Marathon Oil for example. Marathon invested millions of dollars surveying the ocean floor for potential oil deposits, then submitted their bids to the Indonesian government for the undersea fields they wanted to drill. For every single field, a Chinese oil company outbid Marathon by the smallest possible margin, without bidding for any other fields or ever being seen undertaking surveys. The loss of potential earnings probably runs into billions of dollars.

Sure enough, when experts looked closely at Marathon’s IT system it was found to have been breached and we can only assume from the circumstantial evidence there was a connection between the hack and the bidding events. Elsewhere mega-breaches have become commonplace and I’ve even heard CISSP certified security professionals advise it’s impossible to prevent breaches so the focus should be on recovery after the breach. That argument wouldn’t make me feel good if ISIS took control of the US nuclear arsenal and the President assured us the recovery process would re-stock the silos with replacement missiles next week.

Why is Hacking So Successful

Why is hacking so successful despite enterprises spending $46 billion dollars on cyber-security last year? One very important concept to consider is the difference between the TCP/IP transport layer and the application layer.

pentest-download-image-2According to the Open Web Application Security Project (OWASP), only 1.7% of security budgets are spent on defending the application layer, despite most attacks targeting the applications and the majority of breaches occurring at the application level.

Other research suggests that perhaps the application security budget may be around 15%. Certainly it is far smaller than the established network / perimeter defence budget which is well stocked with expensive yet significantly ineffective tools such as firewalls, Intrusion Prevention Systems (IPS), Intrusion Detection Systems (IDS) and anti-virus software. These defences rely primarily on pattern-matching messages travelling through the network with their catalogues of known-bad scripts. pentest-download-image-3At least they do that if the message is in clear Hyper Text Transfer Protocol (HTTP), but no valuable data should be transported unencrypted, hence the 25% and growing quantity of traffic that layers HTTP over the Transport Layer Security (TLS) cryptographic protocol to create HTTPS. In case you were wondering, TLS version 1.0 replaced Secure Sockets Layer (SSL) after SSL version 3.0

Encrypting Network Traffic

Encrypting network traffic by using HTTPS prevents wiretapping and ‘man-in-the-middle’ attacks, but also prevents network defences from detecting an intrusion because they cannot read the inbound or outbound messages unless they are provided with the encryption keys and perform a benign ‘man-in-the-middle’ interception themselves. Allowing an IPS to break encryption and log events, however well intended, presents new opportunities for attackers and new risks for defenders. Examining encrypted messages in-flight also creates performance issues. NSS Labs report an 88% reduction in transactions per second when HTTPS is decrypted, and the greater the flow rate the lower the percentage sampled in-line becomes. Unstructured internet data is growing at around 60% per year and will probably increase from 7.9 zettabytes this year to 82 zettabytes by 2020.

pentest-download-image-4Big volume businesses like Yahoo already use 10 Gigabit per second (Gbps) Ethernet and expect to have standard 100 Gbps network connections by 2020. That increase in flow rate will reduce the real-time security window from 67 nanoseconds to 6.7 nanoseconds per frame. In other works the network defences will have to load a message into a frame, decide if it is malicious, then either block it or allow it onwards in the time it takes a photon of light to travel two metres. A top-end next generation firewall such as the Palo Alto 7050 can cope with 120 Gbps, but the cheapest model starts at $300,000 and each one consumes 2.4 Kilowatt of power. This kind of defence is becoming unaffordable and looks like attempting to make propeller-driven airplanes fly at supersonic speeds. No matter how much money and effort is input, the diminishing return on investment will defeat the buyer before the objective can be achieved.

 

Malicious Scripts

Meanwhile attackers are taking advantage of the asymmetric economics of cyber-security. For as little as $20 a malicious script can be purchased on the dark-web (a marketplace for illegal activity) then hijack thousands of unsuspecting computers to attack the multi-million dollar network defences of a target, and possibly defeat them.

Security Standards

pentest-download-image-5What about all the globally agreed security standards your organization follows? Surely passing an ISO 27001 Information Security Management System (ISMS) audit proves your IT systems are secure? Unfortunately standards set a floor not a ceiling for security, and many organizations have still suffered breaches after passing their security audits. One weakness of ISMS audits is that they only verify the defined processes are correctly implemented.

If there are no defined processes for developers to follow secure coding standards, or testers to perform thorough security testing, the audit will simply not consider them.

The Growth of Breaches Due to Malware and Hacking

The proof that our current security paradigm is not working can be seen in the Verizon research graph shown below.
Although an ISMS may contain insider misuse through defined disciplinary procedures, and limit breaches after physical loss of laptops by mandating password and encryption policies, the growth of breaches due to malware and hacking has now entered a golden era for criminals.

pentest-download-image-6aWe need to reverse these trends, and work with limited or no budget to invert the asymmetric economics of cyber security in our favour. Perhaps there is no such thing as an un-hackable system, but if we can make it cost a hacker $10 to steal $9, they will give up attacking our systems. How can we start making software more secure, instead of buying more security software?

Penetration Testing

A first step is to see penetration testing and automated code reviews as just two parts of a much larger Secure Development Life Cycle (SDLC). Penetration testing is often used as a late tactical response to an ongoing strategic issue. If the project team have no understanding of application security, their relationship with penetration testers will be based not only upon trust but also ignorance, and that’s a problem.

Perceiving security as a black art permits its aficionados to test against an undefined and incomplete mental criteria, instead of providing confidence that controls have been effectively implemented to manage prioritized security risks. Automated code reviews by generic tools are never 100% accurate because they are not created specifically for your system. Most issues are not generic, but deeply embedded in the bespoke business logic and application design. Automated code reviews generate false positives that waste investigation time, and more seriously leave false negatives that allow vulnerabilities to remain undetected. Just like penetration tests, automated code vulnerability scans are only a part of the bigger picture.

Continue Reading

Download the Full Guide

Why Choose Us?

Our website application testing services are built on our deep understanding of the latest test methodologies.  This, combined with years of practical experience working with our customers to deliver cost-effective software testing facilities means that we can help you deliver improved quality and reduce your time time-to market. The advantages of using us include:

  • Testing experts with specialist tools
  • Well-defined processes and deliverables
  • Independent testing
  • Resource leveling – use T&VS resources when needed
  • Opportunity to repeat testing as-and-when needed (e.g. website updates)
  • Cost reduction through remote / offshore resources

Case Studies

Talk to Us

Contact one of our web application testing consultants today. No hard sales, just pertinent questions to understand your requirements so that we can help you take the next steps.


Alternatively call one of our local sales offices or simply email us.