testingsense.com

stone · Joined: 29 Aug 2007 Posts: 16

How to Choosing the Right Tool for Web Application Security Testing..?

shikhawat · Joined: 29 Aug 2007 Posts: 17

The QA department will need application security testing software that is able to perform three different types of testing: as a non-authenticated user, an authenticated user, and an administrative user, to determine the vulnerabilities inherent in each user class. Additionally, the Web application security tool should be able to perform both automated and manual crawling/spidering of your web application.

Automated application security testing software will spider the entire application by clicking every button and link, filling out data fields to identify the structure of the program, and then audit each page for vulnerabilities. It should do this from the outside in, reviewing each portion of the site the way an external hacker might, ideally from behind the scenes. This comprehensive approach is valuable to ensure that all security holes have been identified and can be fixed. On the down side, it can also produce false positives, and it may not be able to access all of your Web pages due to the way that certain pages are coded.

Manual testing allows a user to focus on specific pathways or tasks on a website while the software follows silently behind, tracking the process. The program can then audit the particular path that the user has taken for security vulnerabilities and provide a report. Manually crawling an application can be time consuming, but it also ensures that specific pages are tracked and analyzed.