Note: This is copied from my March 30th blog post at http://blogs.catapultsystems.com/BA. My posts are generally about Quality Assurance related issues.
Testing Web Application Security
Over the weekend, hackers got into Oracle's MySQL.com using SQL injection. I was surprised that a big technology company like Oracle would be vulnerable to a SQL injection attack, especially because they are a database company and SQL injection is a well-known attack.
The quote in the article that really caught my attention was, "'It does not appear to be a vulnerability in the MySQL software, but rather flaws in the implementation of their websites,' Chester Wisniewski, senior security adviser at anti-virus firm Sophos, wrote in a blog post Monday. 'Auditing your websites for SQL injection is an essential practice, as well as using secure passwords.'"
Software Testers' Role in Web Application Security
In my experience, most software testers focus on testing the functionality of an application and do not focus on security. The websites that I've worked on that are especially sensitive to security breaches, like financial websites, have generally brought in a separate security expert to review the site.
I think that bringing in an expert is important for highly sensitive sites; however, in many cases, this extra resource is not available. As I've read about more breaches of security, I've come to realize that it would be good for software testers to, at a minimum, test their websites for the most common security vulnerabilities.
Unfortunately, learning the details of even the most common hacker attacks via the Internet can be a shady and sometimes virus-prone pursuit. After talking to a Web Application Security expert, I found a good starting point for learning about Web Application Security testing online.
The Open Web Application Security Project (OWASP)
The Web Application Security expert who I spoke with recommended looking into OWASP. I spoke with a couple other experts, and they all endorsed OWASP as a great place to safely and legally learn about Web Application Security.
There is a lot of great information on the site including an OWASP Testing Guide. However, the area that looks like it would be the most fun to start is the OWASP WebGoat Project. OWASP describes this as "a deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons."
I've just started setting up WebGoat and attending meetings at my local OWASP chapter. I plan to write about some of my experiences as I gain new skills related to Web Application Security.
- Secure Password Policies - Protecting Yourself and Your Company
- Testing Web Application Security - Role-Based Security Vulnerabilities
I'd like to hear about your experiences with Web Application Security testing. Is it something that you currently have your test team focus on? Have you had any problems due to lack of or despite practicing Web Application Security testing?