Java Reference
In-Depth Information
applications for security. Every organization has a reputation, which it would have built over long
periods of time. Customers look to such organizations to not only deliver quality of service but
also provide a secure environment to carry out transactions involving sensitive information.
Web applications need to be comprehensively reviewed before being deployed in such mission-
critical environments, as any security breach or even security vulnerabilities discovered can have
a long-standing impact on the organization's reputation and goodwill. Moreover, organizations
can also showcase their commitment to security through comprehensive security testing, a secure
application development life cycle, and so on.
11.1.3 Security Testing Web Applications—Some Basic Truths
Testing Web applications for security is a much-recommended best practice; however, there are
certain important points that one should keep in mind while going about testing Web applica-
tions. hey are as follows:
◾
Segregation of duties
Reliance on automated vulnerability assessment tools
◾
◾
Defense-in-depth for security testing
Knowledge of testers
◾
11.1.3.1 Reliance on Automated Vulnerability Assessment Tools
Web application vulnerability is an important aspect of testing Web applications for security vul-
nerabilities. We have already stated that there are two ways of going about performing vulnerabil-
ity assessments for Web applications—manual and automated vulnerability assessment tools. he
market today is teeming with several Web application vulnerability assessment tools. hese tools
are largely prevalent today, as they are simple to use and they generate professional reports quickly.
hese tools are also often equipped with several features to ind the very latest in Web application
vulnerabilities and also cater to a wide variety of Web application development platforms such as
Java, PHP, .Net, and so on. hey are also equipped with features to detect and identify vulnerabili-
ties that are present in the underlying service infrastructure elements such as application servers,
Web servers, databases, and operating environments.
Automated tools are not to be considered a panacea for Web application vulnerability assess-
ment. Automated Web application security vulnerability scanning tools do not perform com-
prehensive vulnerability assessments. hey are useful in carrying out a cursory vulnerability
assessment to identify vulnerabilities present in Web servers, application servers, and databases
and even ind vulnerabilities like cross-site scripting and basic SQL injection. However, they are
usually not geared to handle logic laws.
Logic laws are those laws that are part of the Web application because of improper or imper-
fect implementation of business logic. For instance, if a user can manipulate an input ield for
quantity in an e-commerce application to include a negative number, then there may be a condi-
tion that might lead to the funds from the “purchase” being credited to the attacker. Attackers
often take the time and efort to study the worklow of a particular application (i.e., a business
process) and try to manipulate the process by skipping the steps of the process or manipulating
inputs in the process, which may result in a security breach. For example, improper authoriza-
tion is also a business law, where a user of the application is able to access information that he/
she is not authorized to view by manipulating the authorization mechanism of the application.
Search WWH ::
Custom Search