Practical Security Testing For Web Applications

It seems like every week the press has yet another story about security breaches or stolen data at some of the world’s largest companies or government agencies. Sometimes the responsibility for ensuring thorough security resides with an IT security group, and other times it gets outsourced altogether. The responsibility seldom falls to testing teams. However, this is changing. Having trained and experienced testers hunt for security bugs will make web applications safer from hackers and will further protect consumers, corporate assets, and brands.

Security testing techniques are not well known to many traditional functional testing teams because there are relatively few opportunities to learn them compared to learning functional testing. And, security testing is more difficult to perform than functional testing for reasons including: vague security requirements for many applications; low-level, technically challenging testing approaches; and security testing tools that are difficult to set up and configure.

A major consideration for any security testing strategy is that every architectural layer of an application is vulnerable in different ways—some are more easily penetrated and comexploited than others. These layers are known as the attack surface and will be different for different web applications because of the varying architecture, frameworks, and languages in use to develop them. Hackers trying to penetrate your web applications must know as much as possible about your application's attack surface. The attackers' methods are numerous and constantly evolving, so testers need to think in similar ways when approaching security testing. Approaching testing in a progressive and creative manner is perhaps one of the greatest challenges for security testers. To keep up with the efforts of hackers, testers must utilize not only traditional and time-tested tools but also the newest tools available.

This can be a daunting task because of the nature, variety, and number of tools available for security testing. This article covers a few of the basic freeware tools available for web application security testing. These tools can stand alone or serve as a foundation for the adoption of more mature tools within your organization. Building upon this small set of tools over time will ensure the widest possible set of protective mechanisms for your security testing certification process—the rigor that must be executed and passed prior to release.

Just as with other types of testing, it is important to know that you cannot prove the nonexistence of security defects. Exhaustive security testing is impossible, due to the diverse nature of the attack surface and the number of possible variables that can be manipulated across that surface. However, there are categories of attacks that tend to be more popular due to their effectiveness. Two specific web application vulnerabilities that you should be aware of are SQL injection and cross-site scripting (XSS). An excellent primer to these vulnerabilities can be found at the Open Web Application Security Project (OWASP) [1]. The OWASP testing guide [2] is one of the best resources available on web application security and vulnerability testing. It is several hundred pages long, so do not expect to master every testing mechanism right away.

Preparing for an effective security testing strategy includes getting familiar with a few core tools, such as the Firefox browser—yes, the same Firefox browser you use to verify the functional behavior of web applications. This browser is perhaps the best all-around beginner’s tool that can be used to test the security of a web application. This is largely due to an ecosystem of browser plug-ins specifically built for security testing tasks, including two free Firefox add-ons that every security tester hunting for web-based vulnerabilities must have: SQL Inject Me and XSS Me.