business logic on the client tier is unacceptably dangerous. Every RIA's quality-assurance test plan should ensure that the client-side code contains only presentation logic. What this means is that QA professionals can no longer rely on a Web browser as their sole testing tool for RIAs. QA teams have to examine the details of the RIAs' client-side components in order to ensure that no business logic has crept into the client code (either accidentally or intentionally). For Flash and Silverlight applications, this requires decompilation of the downloaded SWF or DLL files. For JavaScript, it may require downloading external script source files.
QA professionals should not consider looking at source code or using disassemblers to be beyond the bounds of their role. While it is true that they never previously had to perform those actions when testing traditional Web applications, RIAs have expanded the scope of the QA's responsibilities. Simple, manual, black box testing of the application through a Web browser is no longer sufficient. In order to ensure security, the QA arsenal must expand to include new tools and processes in order to thoroughly test all aspects of RIAs.
Pages
About the author
Bryan Sullivan is a security program manager on the Security Development Lifecycle (SDL) team at Microsoft. He is a frequent speaker at industry events, including Black Hat, BlueHat, and RSA Conference. Bryan is also a published author on Web application security topics. His first book, Ajax Security was published by Addison-Wesley in 2007.
