Incorporating Web Application Security Testing Into Your Quality Assurance Process

Many companies are under the impression that testing for Web application security simply involves a cursory check for easy-to-guess usernames and passwords. Yet application security testing can and should involve more complex checks, such as testing for SQL injection and Cross-Site Scripting. Often this sort of review does not happen until the Web application is in production, when it is too late to stop a hacker or a malicious program from attacking and much more expensive to remediate the vulnerability.

Quality assurance departments have traditionally focused on functional testing - making sure that an application works properly and performs all of its necessary tasks seamlessly. However, as Web application security becomes more important, your QA department is more likely to be a critical participant in application security testing.

Getting Your QA Department Involved

There are three ways that your Quality Assurance department may become involved with Web application security testing:

No matter how the department gets involved, certain steps will need to be taken to establish the application security testing process. It will need to be determined whether there will be specific, dedicated staff members who will be performing Web application security testing, or whether the task will be dispersed throughout your entire QA group. In addition, the timing of Web application security testing during the Quality Assurance process will need to be managed. Ideally, application security testing will be performed as early as possible, so that developers can fix any security issues in a timely manner, without compromising the projectís schedule. Finally, the right software for application security testing will need to be selected and implemented.

Choosing the Right Tool for Web Application Security Testing

The QA department will need application security testing software that is able to perform three different types of testing: as a non-authenticated user, an authenticated user, and an administrative user, to determine the vulnerabilities inherent in each user class. Additionally, the Web application security tool should be able to perform both automated and manual crawling/spidering of your Web application.

Automated application security testing software will spider the entire application by clicking every button and link, filling out data fields to identify the structure of the program, and then audit each page for vulnerabilities. It should do this from the outside in, reviewing each portion of the site the way an external hacker might, ideally from behind the scenes. This comprehensive approach is valuable to ensure that all security holes have been identified and can be fixed. On the down side, it can also produce false positives, and it may not be able to access all of your Web pages due to the way that certain pages are coded.

Manual testing allows a user to focus on specific pathways or tasks on a Web site while the software follows silently behind, tracking the process. The program can then audit the particular path that the user has taken for security vulnerabilities and provide a report. Manually crawling an application can be time consuming, but it also ensures that specific pages are tracked and analyzed.

Basic Guidelines for Choosing an Application Security Testing Product

The following basic questions should be addressed when you are looking for a Web application security testing product:


Web application security is of major importance, and your Quality Assurance department needs to be involved in order to ensure that your final product is free of security defects. By implementing the proper tools and establishing application security testing early in the Quality Assurance process, many last-minute security problems will be avoided and you can be confident that you are releasing secure, robust applications.

About the Author

Ryan English is the group product manager for SPI Dynamics, where he oversees product strategy and direction for the companyís QAInspect Quality Assurance Security testing product line. Ryan is a seasoned speaker on the topic of Web application security testing and has spoken at several Quality Assurance industry events, including Mercury World 2005, STAREAST 2006, and the 2006 IBM Rational Conference.