Java Reference
In-Depth Information
11.1.1.2 White-Box Testing
White-box security testing for Web applications considers the Web application to be a white box; in
other words, this type of security testing involves delving into the application code to identify poten-
tial security vulnerabilities and bring them to notice. White-box techniques are extremely useful for
Web applications, as black-box testing, while beneicial, cannot hope to cover the entire breadth of
the application to ind instances of nonsecure code. White-box security testing for Web applications
involves pinpointing nonsecure code usage down to the line number at which the usage has been
made. W hite-box testing is done by code reviewers who are knowledgeable about secure coding prac-
tices. We will discuss white-box security testing and code reviews in detail in Chapter 12.
11.1.2 Need for Web Application Security Testing
We have already indicated that it is always prudent to test an application before it is implemented
and deployed. Testing should be performed to ensure that the application is working as envisioned
by the architects and the designers. Previously, applications were mostly tested only for performance
and functionality. However, in the current scenario, security is an extremely important consider-
ation, which has to be part of the application development life cycle. We have already highlighted
some of the concepts and practices that constitute Web application security testing like VA and PT.
Let us now explore some of the needs for Web application security testing. hey are the following:
◾
Reputation
Cost savings
◾
11.1.2.1 Cost Savings
Cost is perhaps the most important consideration for any application development efort. Web
applications are a quite a large expense for any organization that has a growing Internet presence.
he cost of a Web application includes the development efort, the deployment efort, and the
maintenance efort, which is a heavy cost consideration. A comprehensive security testing of the
Web application can provide great cost savings, as it ensures that the Web application does not
have to frequently be placed in development cycle due to security laws in the application code.
Developers create the Web application based on the design requirements, but there are several
instances where human error inadvertently creeps into the development process, which leads to
security vulnerabilities manifesting in the Web application.
Once the application is deployed in the production environment and these security vulnerabil-
ities come to light, the quality of the code is questioned and the application is forced back to the
development stage where this code is corrected and then redeployed. In some unfortunate cases,
this cycle may occur several times, causing a great deal of inancial losses for the organization
developing the code and the organization deploying and using it. Applications deployed without
security testing tend to go through several development cycles, which take a signiicant toll on the
organization's inancial well-being.
11.1.2.2 Reputation
Organizations developing applications for customers or organizations developing applications for
their own requirements need to be very wary of the reputational consequences of not testing Web
Search WWH ::
Custom Search