Monday, March 23, 2009

Developing Web-Based Applications: The Importance of Security Testing

by Darrell F

Creating a website is very common practice nowadays, especially for online marketing purposes. A website would greatly help conduct transactions between the companies and consumers without physical interaction. Implementation of security procedures to the transaction is necessary to ensure that both parties are satisfied.

Same as to the process of creating a website, it is very important to guarantee that your website is free from vulnerabilities. An improperly secured website would have negative effects not only to the viewing consumers but also to the website creator's integrity. The security features ensure that the information on the website is reliable.

Implementation of security testing to the creation process of a website is very significant. Internet security testing - referred to as penetration testing by other web developers - is integrated on the building process of web-based applications. A security test involves active evaluation of the security measures of the website or web application. It is done by actual testing of the system to find security flaws and issues that may arise from the implementation process. The resulting data of the conducted security tests are presented into documents which allow the designers and developers to collaborate about the detected issues on the web-based application. A debriefing discussion comes after the security testing to generate effective to solutions to eliminate flaws and correct found errors.

The importance of a security test is mainly to ensure that the output has the highest quality in terms of delivering information to its end-user. An Internet security test prevents the occurrence of errors upon implementation. It also avoids the possibility of web hacks and external modification of the website's settings. The security tests identify errors immediately prior to the release of the website thus avoiding major security concerns which may possibly arise if the project is prematurely implemented.

There are several security tests that can be conducted on a system. For the Internet security tests, major factors that require attention include tests on servers, routers, firewalls, operating system and maintenance. The first part of the security test is on the publicly accessible information. The data involved in this test are commonly about the basic information which is accessible to the viewer. Next on the list of security test is network enumeration. The process relates to the hosts and specific network security features. The remaining tests involve assessment of open ports, services and security vulnerabilities which provides access to the control panel of the website.

Although security tests are essential to develop and ensure security on the output, there are certain risks that may arise from the procedure. Black box security tests are fully automated thus may be applied on the system without worrying about implementation costs. On the other hand, the white box type of security test involves a higher order of security procedures. This type of security test can cause significant delay in the development process due to the slower response of the network when the network and vulnerability scanners are active. A more serious risk of performing an extensive security test is the occurrence of system damage during the security test. This may stop the development and may cause great delay on the creation process. Although the risks may be reduced if conducted by a certified tester, there are some risks which are inevitable.

About the Author

Darrell F writing about security testing and the need to be aware of network vulnerabilities.