|
Black Box & Functional Security Testing of Web Applications
|
|
|
|
Web application security tests provide a method to validate the security of an application system before it is deployed. Black box and functional security testing is generally conducted when the testers have limited knowledge of the system under test or when access to source code is not available. This testing methodology is very effective to:
|
|
|
•
|
Complement white-box testing activities
|
|
|
•
|
Verify that system security components are operating properly
|
|
|
•
|
Identify potential vulnerabilities resulting from implementation errors
|
|
|
•
|
Test third-party components that may be considered for integration into the overall system and for which source code is not available
|
|
|
•
|
Test security-specific subsystems.
|
|
|
•
|
Provide development staff crucial and significant insight regarding the system's security design and implementation.
|
|
|
XBOSoft Functional Security Testing
|
|
|
|
Black box test activities almost universally involve the use of tools to help testers identify potential security vulnerabilities within a system. Unlike network security tools, application security tools generally focus on identifying vulnerabilities and abnormal behavior within applications available over ports 80 (HTTP) and 443 (HTTPS). These ports are traditionally allowed through a firewall to support web servers.
|
|
|
Black box testing tools provide various levels of automated support for the XBO Testing Team. They help the testers work more efficiently by automating whatever tasks can be automated, and they also help testers avoid making mistakes in a number of tasks where careful bookkeeping is needed. Their main roles include:
|
|
|
•
|
Ensuring the access control features work as designed
|
|
|
•
|
Authentication measures establish the validity of the transmission, message, or originator
|
|
|
•
|
Authorization processes that determine whether a requestor is allowed receive a service or perform an operation.
|
|
|
•
|
Confidentiality controls protect against the disclosure of information to parties other than the intended recipient
|
|
|
•
|
Non-repudiation steps to prevent the later denial that an action happened, or a communication that took place
|
|
|
XBO Black Box Security Testing
|
|
|
|
•
|
Test automation: providing automated support for the actual process of executing tests, especially tests that have already been run in the past but are being repeated
|
|
|
•
|
Test scaffolding: providing the infrastructure needed in order to test efficiently
|
|
|
•
|
Test management: various measurements and scheduling and tracking activities that are needed for efficient testing even though they are not directly involved in the execution of test cases
|
