Java Reference
In-Depth Information
11.2.3.2 Testing Frequency
We have delved into the approach that individuals and organizations can adopt for Web applica-
tion security testing. his approach advocates the use of certain testing procedures throughout
the SDLC. his is a highly recommended practice, as most organizations that begin to build
security into their Web applications generally lose track of this goal because of the lack of testing
(i.e., oversight) into the process. It is important to begin the testing of Web applications early in
the SDLC.
With the passage of time, the Web application's underlying infrastructure needs to be secured
against exploits written for certain bugs. here is also a situation where attacks against Web appli-
cations keep evolving over time, and Web application development organizations need to be aware
and proactive in ensuring that the application is able to meet the challenge of resisting new-age,
sophisticated attacks. his occurs regardless of the inherent security of the Web application. Patch
management, regular penetration testing, and vulnerability assessments are the order of the day to
ensure that mission-critical Web applications remain secure.
11.2.3.3 Documentation for Security
he organization must have a deined procedure (or set of deined procedures) for the security
testing of Web applications. Documentation is a major contributing factor for the success of a
security-testing process. It is imperative that results of all tests run against the Web applications
are appropriately documented with ranking of indings based on severity or other metrics. It is
also important that there be evidence for the testing procedures performed to assess their pro-
priety based on the risk. Documentation also includes the important aspect of remediation. he
action taken to remediate the indings of the security testing procedures also needs to be docu-
mented. his is especially useful when the organization is scaling up or scaling down in terms of
manpower, as it proves as a comprehensive reference guide for individuals who take on the job of
security testing Web applications.
11.2.3.4 Testing Mix
We have already indicated that VA and PTs need to be performed through manual and automated
methods. While automated tools are extremely convenient to deploy—by just clicking a button,
one is able to perform quite a substantial vulnerability assessment—it is also common knowledge
that automated vulnerability assessment tools cannot cover logic laws and more advanced type
of attacks, which skilled penetration testers and vulnerability assessors can perform. herefore, it
is imperative that a mix of manual procedures as well as automated vulnerability assessment and
penetration test tools be used for the purposes of black-box security testing Web applications.
11.2.4 Security Testing for Web Applications and Security Compliance
Most security compliance requirements do not speciically prescribe Web application security test-
ing or any speciic type of security testing to be performed. he Sarbanes-Oxley Act, for example,
focuses more on internal control and the controls around preparation of inancial statements.
It's entirely the view of the auditor to initiate a process of security testing involving vulnerability
assessments and penetration tests. HIPAA, on the other hand, bases itself on risk assessment and
relies on the controls derived from the risk assessment, and the GLBA and SB-1386 do not focus
Search WWH ::
Custom Search