A System and Method for Harnessing Manual Web Application Functional Testing Processes (QA) in order to Streamline Application Security Testing
Publication Date: 2012-Sep-23
The IP.com Prior Art Database
Security Testing of Web applications relies on automated/manual scanning of the application through as many scenarios as possible. This application is about capturing the HTTP traffic generated by the QA team during functional testing and use it for Security testing, allowing Security experts get vulnerability reports based on the QA team exploration of the system under test.
Page 01 of 2
ȈȈ ˇ ˄ ˇ ˙ ˝ ˇ ˛
˚ ˚ ~
~~ ȈȈ ˇ ˇ ˙
ȈȈ ˇ ˇ ˙
In recent years, the problem of application security became critical to many organizations. Vulnerability trend reports such as the ones published by IBM ISS, show that approximately 50% of the vulnerabilities disclosed each year, are related directly to web application vulnerabilities. In addition, laws and regulations such as PCI DSS, mandate that organizations will test their web applications for web application vulnerabilities. Since security issues are basically software defects, research papers and surveys show that it is much more cost effective to locate these issues earlier in the development lifecycle, rather than after deployment.
Up until today, the way to introduce security testing into the development lifecycle, was in the following manners:
1) Provide developers with static and dynamic testing tools, such as AppScan Source and Standard editions.
2) Provide QA and security testers with dynamic testing tools, such as AppScan Enterprise or Standard editions
While developers are slowly adopting and getting used to using static analysis security testing tools, it appears that convincing QA testing teams to perform extra
work, that is out of their field of expertise, and requires them to learn a new subject (security testing), was not widely accepted by many organizations.
The main reasons why QA teams do not seem to adopt existing dynamic analysis testing tools (web application security scanners) are:
a) QA teams are usually overloaded with functional testing work
b) QA teams are not security experts, and do not understand how to perform security testing, or how to configure security testing tools
c) QA teams don't want to perform redundant work - for example, browse the web application twice, once for functional testing, and then the second time for security testing (for the purpose of manually exploring the application)
d) QA teams cannot verify security results, for example distinguish between a real issue, or a false positive.
We hereby present a simple system and method, for leveraging and harnessing existing QA testing processes, for streamlining the process of application security testing.
QA teams, that perform quality testing of web applications, necessarily use a browser to manually verify that the application is working properly. For example - functional testing of the application is done using a browser. The QA tester launches a browser, interacts with the application, clicks on links, fills forms, and operate the application inside a browser.
Our invention offers to re-use the web traffic, collected from QA web functional testing process, in order to avoid the need to:
- Configure dynamic analysis testing tools
- Perform separate manual or automated exploration of the web application
- Wait for the web application scanner to finish the exploration and testing process,
which can take many hours
Re-using the QA web traffic, can reduce up to...