When using a mature framework for writing Web applications, developers will sometimes be in a never-ending changes => test => Edit => state tests. Nevertheless, developers are more focused on the change of function and visual output, while the time spent in terms of security is much less. However, when they do focus on safety, we usually think of is the typical things, such as access control or prevent SQL injection errors, but safety concerns should be far more than that.
When testing a Web application, which provides a list of several common causes and prevention methods lead to security vulnerabilities. Although this is still far from complete, but can provide a reference for the test.
unit test
We mentioned modified => test => Edit => cycling test. One problem with this is that the changes will affect other functions other than testing content, such as in multiple modules of code reuse this functionality. Testing framework allows to ensure the functionality in line with expectations by using a function with certain parameters and assert the expected results, in order to prevent security incidents (for example, to prevent isAdmin()the error function allows administrator privileges).
Access control
We also mentioned access control mistakes that is crucial in the development of custom applications. It's like users to upgrade their privileges or access content from unauthorized access capabilities. It should take strict access control restrictions to validate the high privilege to perform restricted operations and content.
Change tracking / version control
Change tracking code or configuration files critical to many security problems: functional reliability, track record modification to ensure that the hacker did not make any tampering and so on. Change tracking configuration files, and source code management (Git, SVN) ensures that when and where what has changed.
Management authority
When working in larger teams, the number of people with administrator-level privileges may increase. Not only is the root privileges on the server, also includes examples of access write access to the Git repository or cloud server account. Audit Log helps track who did what, but more important is to ensure that the right people have access to needed.
Least Privilege
From the above content permission to continue, we should always have a clear concept of a person with a minimum privileges. When granting access, an important question to consider is, how much is the minimum required privileges? Web applications do not require access to the entire file system, does not require access to the database, and so on.
Off-site redundancy
Most points mentioned above requires a certain level of logging to be fully effective. The logs are stored in a local rather than remote storage, making it possible to tamper with a track record. In addition, off-site backup and redundancy can be achieved much better stability, uptime and disaster recovery.
monitor
Redundancy is conducive to recovery, but it can also take measures to improve security monitoring. Mandatory time monitoring can detect problems, rather than find out when the problem occurred, so preventive measures can be carried out before a major failure occurs. Good monitoring will also look for the possibility of cascading effects, for example, a service interruption will depend on its other services paralyzed the entire cluster.
encryption
Too many Web applications are still allows plaintext authentication over non-SSL connections and various other unencrypted traffic. Data storage is not always safe, for example, using MD5 or SHA1 password hashing algorithm to encrypt stored passwords easy to crack. Ensure safe use of encryption and TLS certificates hashing algorithms (recommended salted SHA512), can greatly reduce vulnerability to unauthorized data access.
Web Security Scanner
Each function and each user will combine the operations, the possibility of security risks increase exponentially. Even the security team can not manually verify and test all the content, but a good auto Web security vulnerability scanner can not only test but also found some problems developers may not consider.
SQL Injection
Of course, SQL injection is the most common security issues. In recent years, SQL injection is still the OWASP top 10 in the first place. Use prepared SQL statements and process user input content are two important methods to prevent strokes.
to sum up
As said before, this list is not comprehensive. Indeed, a truly comprehensive list would be thousands, which itself also has a large number of books available. Security is to understand every potential extreme cases, beyond the conventional way of thinking.
- Solemnly declare : The article first appeared in public No. "FunTester", prohibit third parties (except Tencent cloud) reproduce, publish.
Technology Featured articles
- java line of code print Heart
- Linux performance monitoring software netdata Chinese Version
- Performance testing framework Second Edition
- How delightful performance testing Linux command line interface
- Brain HTTP illustrated in FIG.
- The swagger document automatically become the test code
- Five lines of code to build static blog
- On the basis rectilinear frame interface test the java
- Selenium 4.0 Alpha Update Log
- Selenium 4.0 Alpha practice updates
- How unified interface testing functionality, automation and performance test cases
Non-technical Selected Articles
- Why software testing as a career path?
- Wrote thinking of all programming
- Seven kinds of skills become automated testing
- How to introduce automated testing DevOps
- Web end automated test failure reasons Summary
- How to introduce automated testing DevOps
- Testers common excuse
- 2019 browser market share rankings
- API test infrastructure
- API Automated Testing Guidelines
- Future QA Test Engineer