Changing the QA Mindset for Rich Internet Applications


It is clear that, as tempting as it is from a performance standpoint, executing business logic on the client tier is unacceptably dangerous. Every RIA's quality-assurance test plan should ensure that the client-side code contains only presentation logic. What this means is that QA professionals can no longer rely on a Web browser as their sole testing tool for RIAs. QA teams have to examine the details of the RIAs' client-side components in order to ensure that no business logic has crept into the client code (either accidentally or intentionally). For Flash and Silverlight applications, this requires decompilation of the downloaded SWF or DLL files. For JavaScript, it may require downloading external script source files.

QA professionals should not consider looking at source code or using disassemblers out of the scope of their responsibilities. While it is true that, previously, they never had to perform these actions when testing traditional Web applications, RIAs have expanded the scope of the QA's responsibilities. Simple, manual, black box testing of the application through a Web browser is no longer sufficient. In order to ensure security, the QA arsenal must expand to include new tools and processes in order to thoroughly test all aspects of RIAs.

About the author

Bryan Sullivan's picture Bryan Sullivan

Bryan Sullivan is a security program manager on the Security Development Lifecycle (SDL) team at Microsoft. He is a frequent speaker at industry events, including Black Hat, BlueHat, and RSA Conference. Bryan is also a published author on Web application security topics. His first book, Ajax Security was published by Addison-Wesley in 2007.

AgileConnection is one of the growing communities of the TechWell network.

Featuring fresh, insightful stories, is the place to go for what is happening in software development and delivery.  Join the conversation now!