Owing to the ubiquity, ease of access, cost effectiveness and provision of service, the Web Application has emerged as a driving force of adoption. With the advent of web 2.0 and web 3.0 technologies, web application has evolved to be more advanced, quicker in response times. Today Web Applications are more functional and flexible, which increases their value to business operations. It is this wide acceptability and adaptability of web applications that make them an enticing target for malicious users. The increasing complexity and use of new technologies has opened doors to greater and more devastating security risks. To address these security threats and to prevent the associated negative consequences, companies need frequent and thorough web application penetration testing.

Web Application Penetration Testing (WAPT) is a legally authorized, non-functional assessment of a given web application, carried out to identify loopholes or weaknesses, otherwise known as vulnerabilities. WAPT should be carried out in a phased manner, like Information Gathering phase, Planning and Analysis phase, Vulnerability Assessment phase, Attack/ Penetration phase, and Reporting phase. This approach to testing helps ensure optimum coverage and at the same time simulate the fluid actions of a real time hacker.

In light of the growing numbers of web applications, advancements in technology employed by web applications, the constant evolution of features in web applications, and the frequent discovery of new vulnerabilities, the preferred way of ensuring security in web applications is to include security testing as part of the SDLC. However, the reality is that the ease of developing a web application and the focus on functionality and user interface has pushed security testing to the background if it happens at all. Nonetheless, Web Application Penetration Testing should be an integral part of the roll-out and life cycle of every web application.

Small and medium-sized companies for fast secure and scalable IT infrastructure chose to migrate to Cloud Computing, a solution that would help organizations focus on their core business rather than worrying about the investment and maintenance of their business IT infrastructure. Though the solution offers significant benefits, it has its own challenges in terms of security, reliability, and manageability. To mitigate these risks, a rigorous testing is mandatory.

Migrating to a cloud environment requires an understanding of the new business needs and the inherited challenges associated with it. Accordingly, the scope of the software testing also needs to be widened to fully cover those business requirements and the inherited risks associated with cloud computing. In order to meet these testing requirements, organizations need to be equipped with resources adroit in different testing skills.

The strategies that testers need to follow while performing testing in a Cloud environment are:

Identify Applicable Testing Types

For this one needs to thoroughly understand cloud characteristics, the business characteristics and the risks/challenges involved.

Some of the quality risks of Cloud computing are Reliability, Flexibility, Multi-tenancy, Self Healing, Pricing

Band on SLA’s, and Location Independence; some of the inherited risks are Data Governance, Data Security, Virtualization Security, Reliability, Monitoring and Manageability. These risks with Cloud computing pose a threat to applications, hence the testing team must understand such threats and accordingly identify the additional amount of testing involved. Also, the team must understand the applicable Cloud models to be tested like Software-as-a-Service (SaaS), Platforms- a-Service (PaaS), Infrastructure-as-a-Service (IaaS) etc. The various services offered to customers via these models play an important role in deciding the applicable testing types to be used for Cloud testing.

The types of testing the team can perform while testing the Cloud are, System Integration Testing (SIT), User Acceptance Testing (UAT), Interoperability Testing, Compatibility Testing, Performance Testing, Load Testing, Stress Testing, Recovery Testing, Security Testing.

Selection of cloud test environment

The infrastructure requirements for test environment is another important consideration for Cloud testing. The two possible options for choosing the right test environment are: simulating in-house Cloud test environment, and choosing the right Cloud service provider - the selection of right infrastructure is critical to testing.

Special considerations

Certain general considerations that are common to cloud testing which the tester must focus are, supporting multiple browsers, user session management related issues, testing against security vulnerabilities, in a multi-tenant environment, restricting users to access their data only and so on.

To mitigate the risks and issues introduced by Cloud Computing, the testing teams should develop a good strategy to test their applications in a Cloud environment that will help the organizations meet their business needs. The testing strategy should discuss the scope of software testing to meet the business requirements and characteristics of Cloud computing. The scope of software testing needs to be widened, which will cover additional testing, improve infrastructure, test environment and the test engineer’s skill set.

A Testing Centre of Excellence (TCoE) is a framework which is needed because of the increased business user demand and complex changes. It helps to multiple releases in a year and provides dynamic business changes. Every project having its own testing process becomes people dependant and not process dependant, hence affecting the uniformity of testing process, hence the need for a Testing Centre of Excellence. Reverse to it there are certain myths that hover around the reality, the myths say that testing is a time consuming process due to inadequate automation & usage of tools and lack of key accelerators / frameworks. Added to it is the statement that, due to lack of measurement/metric testing remains ineffective. As said, these are myths. A proper implementation of the process can gain you a significant RoI.

The four pillars on which a TCoE is built are, Process Improvement, Expertise building, Project Support and Knowledge Management. When building a TCoE define a strategy, build a roadmap, assimilate ideas and best practices, deploy using capabilities and components, and improve by refining the components.

For a successful implementation of a TCoE, define key objectives and its scope, the key issues and the priorities the TCoE aims to solve. Create an engagement model with the other department and project teams. The TCoE must set rules around how and when it will provide services to the project teams. Clearly define the entry and exit criteria of its operation. Define the quantifiable benefits. For many enterprises, TCoE remains a model without powers of enforcement because they do not have a mechanism to understand the ROI of implementing a COE strategy, hence budget it accordingly, chargeback or direct from business budget.