[WEB SECURITY] Experience with using HTTP proxy tools for QA testers

Rohit Sethi rklists at gmail.com
Mon Feb 28 16:00:21 EST 2011


I think relying soly on QA for security testing is a slippery slope. We've
heard interest from our clients about reducing the number of vulnerabilities
that get caught in pen testing, rather than using pen testing as the only
testing method. Rather than making QA comprehensive, we're trying to see
which low-hanging fruit can be caught with minimal effort - both by those
who use automated run-time assessment scanners and those who do not.

Interestingly, we're not seeing many of our clients make use of QA
automation tools. While developers may make extensive integration testing
suites in JUnit/NUnit we've found less evidence of QTP / Selnium being used
in enterprise QA. What have your experiences been? Clearly automation is
important but if it requires training in a new tool then it's less likely to
be adopted.



On Mon, Feb 28, 2011 at 12:02 AM, Andre Gironda <andreg at gmail.com> wrote:

> On Sat, Feb 26, 2011 at 9:06 AM, Rohit Sethi <rklists at gmail.com> wrote:
> > Thanks Andre and Psiinon. I hadn't actually looked at Zed before, I'll
> > test it out with some qas and see how it goes
>
> As you can see from --
>
> http://www.gartner.com/technology/media-products/reprints/microfocus/vol4/article1/article1.html
>
> The top QA or "dev-test" tools are:
> 1) HP QTP
> 2) IBM Rational Functional Tester
> 3) SmarteSoft (looks strong in the energy and healthcare verticals)
> 4) SmartBear Software TestComplete
> 5) Micro Focus SilkTest
> 6) Microsoft Coded UI Builder in Visual Studio 2010 Ultimate
>
> I was actually surprised to see SmarteSoft and TMap on that list. In
> my view of the world, Atlassian is pretty strong in building a
> Selenium integrated ALM. I am also familiar with Parasoft and
> Crosscheck Networks, but they are niche to WS and SOA testing
> (Parasoft is also stronger overseas, such as in the UK),
>
> Only HP and IBM integrate QAInspect and AppScan through HP Software QC
> and IBM Rational QM, but these are extremely low-quality tools for
> application assessments. It would be better to integrate Burp Pro,
> Fiddler, or perhaps customize existing tools, especially
> JUnit+JUnitTester+Selenium+HTMLUnit+Cactus or perhaps TestComplete or
> the VS Coded UI Builder. You would certainly want to do table-driven
> or data-driven development of test cases, which would require light
> XML development knowledge e.g. familiarity with xmllint or xmlstarlet
> (there are many books e.g. on programming REST that include deep
> information on modern XML libraries and tools).
>
> QA integration of security testing needs careful planning. I would
> suggest that heavy QC or QM environments combine security testing into
> exploratory testing programs and processes before they add tool
> integration points (e.g. QAInspect/AppScan/Fortify SCA) or security
> gates. I believe it is best to avoid QA except when to rely on their
> existing tools -- i.e. put QTP or JUnit through Burp Pro or Fiddler.
> Then, modify requests and replay them as a penetration-tester would,
> and go as far down the rabbit hole as you can go -- exploit XSS and
> SQLi for sure (and perform attacks on authn/authz). An overall appsec
> risk management program should really be primary managed through
> systems like Cigital ESP -- http://www.cigital.com/solutions/esp --
> and HoneyApps Conduit -- http://www.honeyapps.com -- (or Veracode
> Analytics if you want both static and runtime).
>
> Cheers,
> Andre
>



-- 
Rohit Sethi
Security Compass
http://www.securitycompass.com
twitter: rksethi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110228/2a2e6313/attachment-0003.html>


More information about the websecurity mailing list