Java Reference
In-Depth Information
Chapter
12
Practical Web Application
Security testing
It is important to assess a Web application for various security vulnerabilities that might
manifest in the Web application during the design, development, and other phases of the
Software Development Life Cycle (SDLC). It is imperative that an application be compre-
hensively tested for security laws before being deployed in a live production environment. In
this chapter, we will explore some of the practical techniques used to assess Web applications
for security.
12.1 Web Application Vulnerability Assessment
and Penetration testing
12.1.1 Approach to Practical Web Application Testing
We have already a provided a basic introduction to Web application vulnerability assessment and
penetration testing activities in Chapter 11. he aim of a vulnerability assessment is to unearth
as many vulnerabilities that exist within a system as possible. Vulnerability assessment (VA) con-
sists of performing tests against the Web application and its platform elements like Web servers/
application servers, databases, and operating systems to identify vulnerabilities and rank vulner-
abilities that are found, based on their severity as applicable to the Web application. A VA activity
is usually followed up with a penetration test (PT). A PT takes the VA one step further. Once
vulnerabilities are identiied, a penetration tester conducts attacks against the Web application as
a real-world Web application attacker would. hus PT provides a proof-of-concept of the possible
exploits that an organization might face and also aims at identifying and securing other vulner-
abilities (that may exist in addition to the already identiied weaknesses) in the system. Hence, it
would be worthwhile to perform both VA and PT against a Web application before it is deployed
in a live production environment.
251
 
Search WWH ::




Custom Search