A typical software and web application development company has a testing department, or a QA (quality assurance) team that constantly tests the software and web applications developed by the company to ensure that the products work as advertised and have no bugs. Larger software companies also invest hundreds of thousands, if not millions of dollars on software to automate some of the testing procedures and ensure that the product is of a high end quality.
So how come websites and web applications are still getting hacked every day? For example just a couple of days ago the Istanbul Administration site was breached by a hacker group called RedHack via an SQL injection (more info). In March 2013, Ben Williams released a white paper called “Hacking Appliances: Ironic exploits in security products”. The whitepaper includes details about web application vulnerabilities found in the administrator web interface of several security gateway devices that could be used to bypass the security device and gain administrative access. The whitepaper can be downloaded from here (pdf). In April 2013 a remote code execution vulnerability that allows a malicious hacker to execute code on the victim’s web server was identified in two of the most popular caching WordPress plugins (more info). And the list goes on an on.
How come these type of bugs (aka as development mistakes) that when exploited could put the customers’ data and business at risk are not identified by the testing department or QA team?
While software companies have departments dedicated to identify functionality bugs, most of them do not have any sort of security testing procedure in place. In fact when a developer adds a new button in a web interface, typically there are documented procedures that are followed by the testing department to test the functionality of the button, but there are no procedures to test the functionality underneath the button and to check if it can be tampered with or exploited.
This mostly happens because many companies still differentiate functionality (QA) and security testing, or the management is unaware of the implications an exploited security issue might have on the customers’ business.
Security testing of web applications and any other sort of software should be included in the software development life-cycle (SDLC) with the normal QA testing. If a security vulnerability is found at a later stage, or by a customer it is of an embarrassment for the business and it will also cost the business much more fo fix the vulnerability. So as much as developers are expected to do unit testing when they write new code for a new function, the testing department should be expected to also test and confirm that the new function is secure and cannot be exploited.
Even if the developers follow good security coding practise, or say that they do not need a specific tool to do security testing, rigorous web application security testing should be performed by the testing department to ensure there are no web application vulnerabilities.
Typically developers also say that they follow good coding practises but when they finish they also check their own code several times and the company still invests money and build departments to test their code, so why not check their code for web application vulnerabilities as well? Unless the developers are seasoned hackers, their code should never be released to the public unless it has been through a proper security audit.
After all a security vulnerability is like a normal software bug. For example if an input field in a web application allows the user to enter his name, the developer restricts the input of such field to letters only. The testing department will also check that only letters are allowed as input and that the input is stored in the right place. So once at it might as well check if special characters are allowed, or if encoded input is executed by the web application. If it is, then it is a bug that falls under the security category.
If the developers and testers are not into web application security, don’t fret. QA team members can use an automated web application security scanner to detect vulnerabilities in the code. Automated web application security scanners allow users to detect vulnerabilities in web applications even if they are not security experts. Such software helps the team in understanding the vulnerabilities and train developers to write more secure code in the future. By automating the web application security testing you are also saving money, time and ensuring that no vulnerability as can be seen from the article Why Web Vulnerability Testing Needs to be Automated.
As we have seen there are enough reasons and several advantages to including security testing of web applications with the functionality testing. You can never assume that a web application is secure, in the same way that you can never assume that it functions properly, which is why companies invest in testing and QA teams. After all, web application vulnerabilities are normal software functionality bugs!