Web Security Testing
by samtheadmin on 14/06/09 at 5:21 pm
API Penetration Testing
QA Consultants Web Solution automatically generates tests to perform security penetration testing at the message layer. By testing the SOA with penetration attacks and analyzing the responses, security vulnerabilities can be discovered and fixed earlier in the software development cycle. The following penetration tests are currently supported: Parameter fuzzing, SQL injections, XPath injections, XML bombs, external entities, malformed XML, invalid XML, username harvesting, large XML.
SOA Security Policy Validation
QA Consultants Web Solution includes security support for testing Web services with security layers. At the transport level, we support SSL (both server and client authentication), basic, Digest and Kerberos authentication. At the message level, we support WS-Security including X509, SAML, Username security tokens, XML Encryption and XML Digital Signature. The solution allows for security token validation as well as negative tests that ensure proper enforcement of message integrity and authentication.
Web Interface Penetration Testing
QA Consultants Web Solution automatically generates tests to perform security penetration testing of Web interfaces. By simulating a hacker and “attacking” a Web site with malformed input data, we can uncover OWASP top ten issues such as SQL injection, cross site scripting, buffer overflow, command injection, unvalidated input, and more.
Additionally, we utilize a database of over 4,000 checks to find vulnerabilities related to outdated server applications, default installations, and so on. This helps secure and standardize HTML to enforce best practices related to login forms, comments, hidden fields, and other security-relevant HTML issues.
Language-Level Security Validation
QA Consultants pattern-based code analysis verifies that your organization’s security policy is implemented in your application code (JavaScript, VBScript/ASP, HTML, JSP, Java, .NET, and so on). It also identifies common security vulnerabilities. QA Consultants static analysis rule set is the most comprehensive in the industry, and is constantly being extended.
In addition, QA Consultants data flow static analysis detects injection vulnerabilities, XSS, exposure of sensitive data, and other vulnerabilities without test cases or application execution. Moreover, QA Consultants peer code review process automation facilitates the high-level code review that is often required for regulatory compliance (PCI DSS, etc.).
