- Why should security testing be done as a part of the application development and testing process?
- How do I integrate security testing into test plans?
- How do I write and modify security test scripts with AppScan?
- How do I report security defects to developers with AppScan?
- How do I measure the ROI of security testing during the QA process versus doing it at a different point in the process?
- I already write scripts that check for data validation, do I need AppScan?
|
|
Why should security testing be done as a part of the application development and testing process?
|
|
There are two sources of application defects:
- External: Common Web Vulnerabilities (CWVs) are the result of flawed programming or misconfiguration of 3rd Party software (e.g. web servers and CGI scripts)
- Internal: Application-Specific Vulnerabilities (ASVs) are created during application design and development
Today, companies must identify security defects in their applications in every case, but how and when companies do so depends completely on the source of the security defects. Catching and fixing ASVs during the development and testing of applications reduces dramatically the cost of fixing these types of security defects. One estimate is that it costs seven times more to fix a defect once the application's been deployed than it would have if it had been caught during the pre-deployment testing process.
Integrating AppScan into existing testing processes is simple because:
- AppScan creates, modifies, and manages tests automatically
- AppScan is scriptable so that testers can build security testing into existing test scripts
- AppScan's results can be exported in standard formats like CSV for import into 3rd Party defect reporting and management systems.
In short, the most inexpensive and effective way to eliminate application security defects is to catch them as early as possible. To this end, AppScan integrates into any application development and testing process in order to catch ASVs and enable developers to fix them before it gets exponentially more expensive and more risky to do so.
Back to Questions
|
|
How do I integrate security testing into test plans?
|
|
Creating the test plan is the first step in the application testing process. At this initial stage, it's critical to write security testing into the test plan regardless of whether or not you're going to use AppScan to do the tests. Just as the test plan contains methods and use cases for testing the functionality and performance of the application, so too should it include a plan for evaluating the application's security.
Application security defects generally involve improper handling of data sent from the user to the application. As a result, including methods, use cases and success criteria for testing the application's handling of invalid or illegal characters in the test plan is the majority of what is required to integrate security testing into test plans. Doing so saves the enterprise money and it reduces business risk associated with security defects that slip through the standard testing process and end up getting deployed.
Back to Questions
|
|
How do I write and modify security test scripts with AppScan?
|
|
With application security built into the test plan, performing security tests with is AppScan fast and efficient. Since AppScan creates and modifies application security tests to fit the specific application, the job of the tester is to identify for AppScan the application or the business process to be tested. Like with other testing tools, this is commonly done with AppScan's "Business Process Record and Play" feature. All the tester needs to do record and save the process. It's a lot like recording a macro or creating a test script in other testing tools. Alternatively, AppScan can be configured to create tests for the entire application automatically if necessary. It's up to the tester to determine the scope of the tests required.
In either case, once the tests are created, the tester can either run the tests immediately and independently of any other testing processes or he/she can call the collection of custom security tests (called a session in AppScan) via a script he/she has created to do other things in addition to testing for security.
Back to Questions
|
|
How do I report security defects to developers with AppScan?
|
|
AppScan enables testers to get complete test descriptions and results into the hands of developers quickly. Results can be included in detailed reports that provide test data, defect advisories, and fix recommendations. Alternatively, results can be exported in a standard formats to third party analysis or bug tracking software.
The results of the tests AppScan runs include severity ratings (e.g. the impact the defect has on the security of the application) for every defect found, a detailed description of the defect, links to additional information on the subject, HTML source code for the baseline and tests, and fix recommendations.
Testers can either generate a detailed defect report for developers or they can export results to a third party analysis or tracking tool. In every case, AppScan's actionable results deliver all of the information developers need to locate and fix defects quickly and effectively.
Back to Questions
|
|
How do I measure the ROI of security testing during the QA process versus doing it at a different point in the process?
|
|
The benefits of security testing during the application testing and QA process are reduced R&D; costs and reduced business risk. R&D; cost reductions are realized in the form of reduced testing cycles and disruptions (aka "fire-drills") that result when a defect is found downstream in the application development process. When business risk is reduced it means that the probability of successful attack through an application security defect is materially reduced.
Back to Questions
|
|
I already write scripts that check for data validation, do I need AppScan?
|
|
The answer to this question is best provided by way of example. For a web application that contains 100 links, AppScan will automatically create several thousand separate customized tests to run against the application. No person, no matter how prolific and skilled a tester or programmer they are, can match that output and accuracy. At the end of the day, AppScan is more accurate and far more efficient at security testing applications than any person ever could be.
Back to Questions
|
|
|
|
AppShield, Policy Recognition, and Adaptive Reduction are trademarks of
Sanctum, Inc. All other product names referenced are the property
of their respective owners and are hereby acknowledged.
|