An integral part of comprehensive testing is a testing of security of web-applications or site. This test is aimed at the detection of the ways of system hacking, assessing the security of web-applications or site and analysis of the risks, associated with the approach to the protection against crackers and access to confidential data. Based on the principles of confidentiality, accessibility and integrity, the security testing service helps to ensure the preservation of data, accounting records, user’s access and connections.
Assessing the potential vulnerability of system components during the security testing, the QA engineering team checks the actual reaction of the software protection mechanisms and offers the set of measures to increase the level of protection of web-applications against unauthorized actions. All basic requirements for the safety of web-applications must be verified and applied so that the testers can fix the list of observations and defects with the gradation of criticality of vulnerabilities.
Generally, the following characteristics must be checked:
Access control. It identifies the problems related to the unauthorized users’ access to information and functions according to their given role. Testing the configuration of the role model.
Authentication. It allows you to ensure that there is no possibility to circumvent the process of registration and authorization; authentication also helps you to ensure the correctness of users’ data management and exclude the possibility of obtaining information on the registered users and their accounting data.
Validation of input values. It is used for the verification of algorithms of data processing, including the invalid values before the application will refer to them.
Cryptography. It reveals the problems related to the encryption, decryption, signature and verification of authenticity, including the level of network protocols, work with the temporary files and cookies.
Error handling mechanism. It includes checking the system errors of application for the absence of fact of disclosing information on the internal security mechanisms (for example, by demonstrating the exceptions and program code).
Server configuration. It checks the multi-threaded processes for the errors related to the availability of variable values for sharing with the other applications and requests.
Integration with the outside services. It allows you to ensure the impossibility of manipulation of data, transferred between the application and external components (such as the payment systems or social networks).
Verification of Dos/DDos attack resistance. It checks the ability of application to process the unplanned high loads and large volumes of data that can be aimed at destroying the application.