Java Reference
In-Depth Information
Such laws are not identiied by Web application vulnerability assessment tools. hese tools are
also not capable of detecting advanced attacks like cross-site request forgery. Most Web applica-
tion vulnerability-scanning tools, for example, will not be able to raise a phantom request to the
Web application, forcing the application to perform an action that has not been performed by the
logged-on user of the application. Also, most Web application scanning tools will not be able to
consistently perform more advanced SQL injection attacks based on errors that are raised when
an attacker attempts SQL injection attacks against a Web application. he cognitive and creative
powers of the human mind are much needed in a Web Application Security Test.
Web application vulnerability assessment tools must be a part of a Web application vulner-
ability assessment, because they aid in preliminary understanding and exposing several vulner-
abilities. Identifying such vulnerabilities would ordinarily take a much longer time, in case of
a manual efort. However, it is important to perform manual assessments with an experienced
and knowledgeable team performing vulnerability assessments, delving deep into testing the Web
application for security.
11.1.3.2 Segregation of Duties
It is important to separate the development and test environment to ensure that the integrity of the
results of the Web application security assessment remains intact. Segregation of duties is a simple
concept, but it is seldom followed in principle when it comes to security testing for Web applica-
tions. here should be separate teams for performing testing for the security of Web applications.
his team should not consist of the developers of the application. Moreover, it is also important
that individuals reviewing the code of the Web application (in case of a white-box test) should be
individuals other than the code author and should also be individuals with a great deal of expe-
rience in Web application security testing and/or development and should be able to easily and
quickly identify nonsecure coding practices during the development of the Web application. It is
also important that the systems for the testing and development environment be separate and that
there should also be a logical segmentation of the development and test environment. Developers
should not be able to gain access to the test environment and inluence the testing process.
11.1.3.3 Knowledge of Testers
Security testing of Web applications would be rendered useless without the participation of a
knowledgeable testing team that would perform and inalize the security testing procedures.
While it is important to carry out the test and complete it, it is even more important to analyze
the results of the vulnerability assessment or code review and objectively quantify the results
based on the risk of the vulnerabilities identiied. In several cases, Web application vulnerability
assessments or penetration tests conducted remain inefective because the individuals carrying out
the test are not capable of understanding the results of the said testing exercise and could inap-
propriately classify or rank the identiied vulnerabilities. For instance, lack of input validation is a
critical vulnerability for a Web application, but if it is categorized as a low vulnerability or ranked
inappropriately, it will render the entire vulnerability assessment/penetration test inefective and
will result in the vulnerability continuing to fester in the Web application, having an impact once
the application is released to production.
Knowledge of testers plays an extremely important role, particularly in white-box testing,
where the tester goes over the source code completely to ind traces of nonsecure coding practices.
he tester in this case must be knowledgeable about what nonsecure coding practices are and,
Search WWH ::
Custom Search