Security Testing & Load Testing for Online Document Management system



Similar documents
ASE STUDY. Performance Testing & Security Testing for Web Applications.

How To Test A Web Application For Campaign Management On A Web Browser On A Server Farm (Netherlands) On A Large Computer (Nostradio) On An Offline (Nestor) On The Web (Norton

ELECTRONIC MEDICAL RECORD SOLUTION FOR CHIROPRACTIC INDUSTRY CASE STUDY

Levels of Software Testing. Functional Testing

Adobe Systems Incorporated

Security Testing for Web Applications and Network Resources. (Banking).

TRU - SPAM FILTERING GATEWAY CASE STUDY

05.0 Application Development

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Acunetix Web Vulnerability Scanner. Getting Started. By Acunetix Ltd.

GOVERNMENT OF MAHARASHTRA

Chapter 4 Application, Data and Host Security

Columbia University Web Security Standards and Practices. Objective and Scope

Excellence Doesn t Need a Certificate. Be an. Believe in You AMIGOSEC Consulting Private Limited

white SECURITY TESTING WHITE PAPER

Strategic Information Security. Attacking and Defending Web Services

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Penetration Testing with Kali Linux

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

Security Testing and Vulnerability Management Process. e-governance

Rational AppScan & Ounce Products

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Spigit, Inc. Web Application Vulnerability Assessment/Penetration Test. Prepared By: Accuvant LABS

Passing PCI Compliance How to Address the Application Security Mandates

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Web Application Penetration Testing

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

Security and Vulnerability Testing How critical it is?

Summer 2013 Cloud Initiative. Release Bulletin

FREQUENTLY ASKED QUESTIONS

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

Integrated Threat & Security Management.

HTML5 - Key Feature of Responsive Web Design

Now Is the Time for Security at the Application Level

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Adobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661

Penetration Testing in Romania

Basic Unix/Linux 1. Software Testing Interview Prep

Automating Security Testing. Mark Fallon Senior Release Manager Oracle

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

Web Application Security

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Where every interaction matters.

The Top Web Application Attacks: Are you vulnerable?

Performing a Web Application Security Assessment

From Rivals to BFF: WAF & VA Unite OWASP The OWASP Foundation

(WAPT) Web Application Penetration Testing

Online Vulnerability Scanner Quick Start Guide

Table of Contents. Page 2/13

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

IBM Connections Cloud Security

The Roles of Software Testing & QA in Security Testing

Penetration Testing Report Client: Business Solutions June 15 th 2015

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

CSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office

Turning the Battleship: How to Build Secure Software in Large Organizations. Dan Cornell May 11 th, 2006

SB 1386 / AB 1298 California State Senate Bill 1386 / Assembly Bill 1298

Keeping Tabs on the Top 5 Critical Changes in Active Directory with Netwrix Auditor

Penetration Testing //Vulnerability Assessment //Remedy

Sonata s Product Quality Assurance Services

Secure Web Applications. The front line defense

1.0 Hardware Requirements:

Overview of the Penetration Test Implementation and Service. Peter Kanters

ensuring security the way how we do it

Client logo placeholder XXX REPORT. Page 1 of 37

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Web App Security Audit Services

FORBIDDEN - Ethical Hacking Workshop Duration

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Executive Summary On IronWASP

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

PCI Compliance Updates

Propalms TSE Deployment Guide

Web application security: automated scanning versus manual penetration testing.

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

QuickBooks Online: Security & Infrastructure

Enterprise Computing Solutions

Web Engineering Web Application Security Issues

Thick Client Application Security

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Security Whitepaper: ivvy Products

CCH Audit Automation. Version 4.4 Service Pack 2.1. Release Notes

Complete Web Application Security. Phase1-Building Web Application Security into Your Development Process

AN OVERVIEW OF VULNERABILITY SCANNERS

Reducing Application Vulnerabilities by Security Engineering

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

Smarter Balanced Assessment Consortium. Recommendation

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Application Code Development Standards

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Transcription:

1 Security Testing & Load Testing for Online Document Management system Abstract The client is a leading provider of online technical documentation solutions in UK, they wanted to protect their documents from theft and provide a trusted environment along with enhancements included improvement in the existing features as well as addition of new features. Their requirements were met with performance testing for 50 concurrent users, security testing for Documents Upload, Download and major functionalities of the application, effective automation with different test scenarios which helped them reduce overall cost of testing.

2 Client Profile The client is a leading provider of online technical documentation solutions in UK for a wide range of building services. Business Need The client was initially approached by the company to take care of their online Documentations, protect their documents from theft and provide a trusted environment for conducting secure business through web. The Application has been introduced in market since 2003 and is continuously being enhanced to meet specific client requirements. Enhancements included improvement in the existing features as well as addition of new features. Since the client was a firsttime outsourcer, the first main concern around security & quality. The modifications/enhancements/additions required the client to continuously test the application. Client was looking for an offshore test partner who can: Understand the current application in limited time period Customer faced difficulty to schedule, assign, and track the testing tasks for the technicians Test Plans & Test Reports were lying in network shared folders and access control was very hard Managing audits performed every quarter was becoming a nightmare User and User group utilize role-based security with option to change access on the fly by logging in to the application The assignment involved conducting a Security testing of the application within a short time of 35 to 40 hours. For Security testing, the client s main concern was to identify vulnerabilities clearly and accurately, with a minimum of false positives and protect their customer's confidential building documents information. Challenges The Main challenges faced were: To find out the key scenarios for the performance testing such that it covers the whole application. Change in the proposed testing tool (Open STA/WAPT, Acunetix Vulnerability) because of limitations with the developed application and tool compatibility To find out and propose a tool that overcomes the limitations Close communication with client required as the product was being tested rapidly in accordance with the end user requirements Team management in very effective way to lead the way through to client s expectations up to the mark To add more value to the result findings, a team of experienced project managers went through the report and reviewed it for strategic analysis. The report was then presented according to the specified client template.

3 For automated testing, the client s main concern was to check whether 50 concurrent users logging into the application does not crash the application. The scenarios had to be identified such that it covered whole of the application. Also areas of concern were to check the robustness, speed, fault tolerance, security, cost criteria and extensibility. Client wanted to have following things done during testing: Security Testing: Broken access control Mandatory access control Invalidated input Broken Authentication & Session management Cross site scripting (XSS) flaws Trusted path Buffer overflows SQL Injection Improper error handling Insecure storage Directory Traversal Attacks File inclusion Attacks Authentication Attacks Code Execution attacks Google Hacking Database Performance Testing: Perform the Performance testing with 50 concurrent users so that the application does not crash. Identify the Key scenarios. Create the scripts and run the scripts. Analyze the results Gateway s Solution Benefits Performance Testing was done for 50 concurrent users Performance testing was carried out on the application using the Open STA. The area of concern was to check that the application does not crash with 50 concurrent users. Security Testing was done for Documents Upload, Download and major functionalities of the application Security testing was carried out on the application using Acunetix Vulnerability tool. The other concern was to check that the document should not be visible or downloaded/uploaded by users other than the privileged users and should not be able to access certain links in the application if the user does not have enough privileges. Effective automation with different test scenarios which was time consuming in manual testing Performance testing & Security testing was done using the automated testing tool. Different test scenarios were identified which covered all the critical areas in the application. This could be time consuming, had it been done manually.

4 Software applications are backbones of business hence quality becomes one of the key differentiators in success or failure of the software. Gateway s independent software testing services ensures faster delivery of quality software, with less risk, at lower costs. Gateway was chosen as an ideal partner to implement effective offshore Quality Assurance for the product and carry out the complete Performance and Security testing of the application by doing manual research & automation testing. Gateway team had to ensure that the overall quality of deliverables is achieved within the agreed timeline. Gateway setup a 3-member team comprising of 1 project manager, 2 automation test engineers. Security Testing: Security testing attempts to verify that protection mechanisms built into a system will, in fact, protect it from improper penetration. During Security testing, password cracking, unauthorized entry into the software, network security are all taken into consideration. Security Testing Approach: Identifies the resources needed to conduct the Security test Explains the security test execution process Presents the Security test schedule Gateway QA team had to guarantee the product quality at each release with regression testing, Unit testing & Code Review of existing and new functionalities. After the completion of the functionality testing at the last leg of system testing security testing was done. First the application was checked with Acunetix vulnerability testing tool. Then the application was subjected to different penetration testing methodologies. Overall reduction in cost of testing Regression testing was carried out using the old test cases. Other than the implementation to a new platform which involved setup of required hardware infrastructure, the team did not foresee any major costs to the current project. Technology Client Software: Platform: Windows XP/2003/2000 Browser Versions: IE 06 Report Printer: ActiveX Control Server Software: Operating System: Windows Server 2003 R2 Frame work: Dot Net 2.0 Report: Crystal Report Indexing System: MS indexing service Database: MS SQL- 2005

5 A proper communication channel was established between the client and its Development team to ensure that no gaps are left during the final testing. Weekly summary calls were made to ensure that Gateway team is in line with the development team and Client s expectations. The test automation Security testing was achieved using Acunetix Vulnerability tool and respective technology add-ins. Application access was given by client on Gateway s local test environment. Performance Testing: Performance testing of a Web site is basically the process of understanding how the Web application and its operating environment respond at various user load levels. In general, we want to measure the Response Time, Throughput, and Utilization of the Web site while simulating attempts by virtual users to simultaneously access the site. One of the main objectives of performance testing is to maintain a Web site with low response time, high throughput, and low utilization. The test automation Performance testing was achieved by using Open STA (Open System Testing Architecture) and respective technology add-ins. This was the Open Source tool, downloaded through internet and installed at Gateway s local test environment. Major Challenges in the Execution: The team was responsible for Performance testing, Security testing and final approval by the client Knowledge transfer of the application as concrete requirement documents were not available. Communication and close track of all communication between the Client and their Development team regarding the Change requests and schedule changes. Selection of the Module(s) and scenarios to be included for automation testing The team was responsible for Performance testing, Security testing and final approval by the client Gateway TestLabs defines test designs and delivers business enabled Testing solutions that help Global 2000 companies win in a flat world. These solutions focus on providing strategic differentiation and operational superiority to clients. Gateway creates these solutions for its clients by leveraging its domain and business expertise along with a complete range of testing services With Gateway, clients are assured of a transparent business partner, world-class processes, speed of execution and the power to stretch their IT budget by leveraging the Global Delivery Model. Gateway TechnoLabs Pvt. Ltd. Head Office: B/81, Corporate House, Judges Bunglow Road, Bodakdev, Ahmedabad - 380 054 INDIA. Tel: +91 (79) 2685 2554 / 55 / 56 Fax: +91 (79) 2685 85910020 Web: www.gatewaytechnolabs.com www.offshore testingservices.com E-mail: qa@gatewaytechnolabs.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information