Web Security Testing Practices

Writing by Chakri on Tuesday, 17 of February, 2009 at 11:55 am

Exposing systems to the internet increases the risk that security weaknesses in those systems will be leveraged to compromise the system or the underlying data. Further, the organizations risk direct financial loss, loss of reputation and legal repercussions. It is therefore necessary to examine the actual business risks this brings, understand the basic difficulties in implementing “secure systems”, and adequately test internet applications for security, as well as functionality and load performance, before they are exposed to the net.

Testing, the security testing in particular is a solution to mitigate these risks. Security testing of internet solutions provides two fundamental services, it allows cost-effective selection of security controls at all stages of the project cycle, allowing proper integration of security measures (procedural and technical) into the final solution and gives the Management a firm evidence of the level of security provided, showing that, in the event of a security breach, “due diligence” was exercised, which may limit damages claims or criminal liability.

Testing a system involves a number of separate checks. The infrastructure design should be implemented to allow secure operation, site functionality should be examined to ensure that access to sensitive information and administrative functions is protected appropriately, services necessary for the business process should be running on web-facing servers (the more different systems, the greater the likelihood of a serious flaw), network traffic should be monitored to check for plain text transmission of user names and passwords (whether related to site users or to back-office functions such as databases).

If flaws are found, detailed analysis should follow, which will attempt to identify software patches, replace service daemons or applications, or additional technical issues.

Category: Software Testing, Web

1 Comment

Comment by Madhav

Made Friday, 20 of February , 2009 at 10:06 am

The rate of technology adoption in the financial services industry is quite high. From ATMs to internet banking to online trading. Yet much of the software simply doesn’t work reliably.
Its high time Financial institutes extend that confidence to its customers by ensuring hight security.
Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>