Java Reference
In-Depth Information
furthermore, must be able to trace such instances and provide recommendations to the developers
about more secure alternatives.
Training for developers and testers proves to be invaluable for an organization serious about
Web application security. It is imperative that testers performing both white-box and black-box
testing keep abreast of the most updated information about a Web application platform or plat-
forms and the various security vulnerabilities that might be present in applications. hey should
also be able to provide constructive recommendations to correct the anomalies found.
11.1.3.4 Defense-in-Depth for Security Testing
We have already understood that defense-in-depth is one of the key requirements for a strong
information security practice. One mechanism or measure is not good enough to protect sensitive
information, and only a layered security practice can ensure that risks to critical information assets
are efectively mitigated or, in the least, reduced. Defense-in-depth applies all the same to security
testing as well. Security testing must be done with the concept of defense-in-depth. here should
not be an overbearing presence of one kind of security testing and the complete absence of the
other. For instance, only performing black-box testing will result in a noncomprehensive security
testing process. It is also important to have white-box testing through efective source code reviews
and to strike a balance between security testing measures. his ensures that any risks that might
occur due to laws in the development process are efectively identiied and mitigated based on
severity and risk.
11.1.4 Integration of Security Testing into Web
Application Risk Management
It is very well known that the Software Development Life Cycle (SDLC) is the most important
governing factor for a Web application development efort. he SDLC is the process that any
organization follows right from the inception of the application to its maintenance. he life cycle
consists of key phases that form the SDLC. he requirements for the application are irst devel-
oped; subsequently an application is designed based on these requirements. Next, the application
is developed based on the design speciications created. During the development of the applica-
tion, and after its development, the application is tested extensively for performance, functionality,
and security. Once the application completes the development and testing phase, the application is
deployed in the production environment and has to be continuously maintained and monitored.
he SDLC has been illustrated in Figure 11.1.
We should now recall our learning of Web application risk management from Chapter 5, as
it is integral to our understanding of the approach for security testing Web applications. Web
application risk management consists of three phases, namely, risk assessment, risk mitigation, and
continuous evaluation.
Risk assessment
is the irst phase of the risk management process where the
risks to critical information assets stored/processed/transmitted by the Web application are under-
stood. Critical information assets are proiled, threat models are created, and risks are identiied
and ranked based on severity.
Risk mitigation
is the phase where the risks identiied and assessed
during the risk assessment phase are mitigated through the application's design, development, and
testing processes. he risk mitigation phase is a critical phase of the risk management process, as
it needs to ensure that the risks to critical information assets are mitigated or, in the least, reduced
through secure design, secure development process, and, lastly, comprehensive security testing
Search WWH ::
Custom Search