Better Software - June 2008 - (Page 42)

Can you achieve application quality without application security? Many companies are under the impression that testing for web application security simply involves a cursory check for easy-to-guess user names and passwords. Yet application security testing can and should involve more complex audits, such as testing for SQL injection and cross-site scripting vulnerabilities. Often this sort of review does not happen until the web application is in production, when it is too late to stop a hacker or a malicious program from attacking and much more expensive to remediate the vulnerability. While quality assurance (QA) departments have traditionally focused on functional or performance testing—it is a clear trend that QA is becoming a critical participant in application security testing. • Your QA department may request involvement with testing for web application security, because an application with potential security holes is not going to be perceived as high-quality by users. No matter how the department gets involved, certain steps will need to be taken to establish the application security testing process. It will need to be determined whether there will be specific, dedicated staff members who will be performing web application security testing, or whether the task will be dispersed throughout your entire QA group. In addition, the timing of web application security testing during the QA process will need to be managed. Ideally, application security testing will be performed as early as possible, so that developers can fix any security issues in a timely manner without compromising the project’s schedule. Finally, the right software for application security testing will need to be selected and implemented. Are you ready for security testing? There are three ways that your QA department may become involved with web application security testing: • Your company’s web security experts may request that application security testing be done by the QA group to ensure that all fixes have been implemented and no security holes exist prior to releasing the product to production. • Your compliance officer—facing concerns about Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA), payment card industry (PCI), etc.—may request that further application security testing is performed during the QA process. The right approach to application security testing The QA department will need application security testing software that is able to perform three different types of testing to determine the vulnerabilities inherent in each user class: as a non-authenticated user, an authenticated user, and an administrative user. Additionally, the web application security tool should be able to perform both automated and manual crawling/spidering of your web application. Run a free test of your web applications via our free 15-day trial of HP QAInspect® software and get a comprehensive vulnerability report. www.hp.com/go/QAInspectdnld Special Advertising Section http://www.hp.com/go/QAInspectdnld

Table of Contents Feed for the Digital Edition of Better Software - June 2008

Better Software - June 2008 Contents Mark Your Calendar Contributors Technically Speaking eLightenment Code Craft Test Connection Management Chronicles Agile Model-Driven Development The Myth of Risk Management Stop the Insanity! Product Announcements 10 Things You Might Not Know About … The Last Word Ad Index

Better Software - June 2008

For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.