Internet usage has been increased and became more important in our
daily lives. There are many web applications which are hosted and accessed via
internet/intranet. And being important and accessed mostly, security has been a
concern for many enterprises and people.
Whenever a product or web application is given to the QA
team, in most of the organizations only the functionality part of the
product/application is being tested. Many a times Security aspect of the
product is neglected or given less importance by QA. QA should be taking the
lead or responsibility of testing the security aspects of the product too, as
QA knows the product very well. Even if developers follow good coding
standards, knowingly or unknowingly flaws can be introduced at time in the
development lifecycle. Undetected flaws can turn into security vulnerabilities
at runtime and it is always a good practice to do security testing, as no web application
is totally secured.
Being a QA, if you are into security testing well and good
but if you do not, you do not have to worry about it, there are quite a few
automated tools which can find security bugs in the product/application but it
is always good to have knowledge on different kinds of security issues.
Top Vulnerabilities
OWSAP, a free and open software security community has come
up with top 10 vulnerabilities which can be found here
(https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet) and SANS over here
(https://www.sans.org/top25-software-errors/archive/2010)
There are 2 techniques/analysis
- Static Analysis
- Dynamic Analysis
Static Analysis
Static analysis is a technique which allows us to find bugs
without executing the program. A static code analysis will automatically check
the source code for compliance with a predefined set of rules or best practices.
Static analysis tools are fast and efficient at finding code defects and
inconsistencies. This technique is programming language dependent. So the tool
should support the programming language in which your product/application is
built on.
A static code analysis tool can help with your code review
process by
- detecting areas in the code that need to be refactored and simplified
- finding areas of the code that may need more testing or deeper review
- identifying design issues such as Cyclomatic Complexity and helping reduce the code complexity improve maintainability
- identifying potential software quality issues before the code moves to production
- memory leaks, buffer overflows, and even concurrency issues
(http://www.codeexcellence.com/2012/05/what-is-static-analysis-and-why-is-it-important-to-software-testing/)
Here is a list of tools available for applications build on
different languages
Language or framework Static tools
C or C++ Splint,
VisualCodeGrepper
Java™ technology FindBugs,
LAPSE+, VisualCodeGrepper
JavaScript JSLint,
JSHint
Python pylint,
PyChecker
PHP RIPS
Ruby on Rails Brakeman,
codesake_dawn
Dynamic Analysis
Dynamic Analysis is a technique which allows us to find the
bugs while the application running. For dynamic analysis to be efficient the
application must be executed with different tests which covers every part of
the application. Dynamic analysis does not have access to source code and it
detects vulnerabilities by performing attacks. Analysis is not dependent on any
programming language.
Dynamic analysis is more useful in finding runtime errors,
memory leakage errors, SQL Injection, Cross site scripting, etc.
Both analysis is to be performed as part of security
testing.
Few web vulnerability scanners available are IBM Appscan,
Burp Suite, Zed Attack Proxy, etc.
No comments:
Post a Comment