Automation Is Your Ally
Although Web application security testing can be done manually, doing so is problematic because it can be expensive, and the process can be quite lengthy. A better alternative is automated testing.

The first approach, white-box testing, tests the individual components of your application. Often this testing is performed at the method or function level to show errors in specific functions, and is often combined with code scanning tools and peer reviews. Unfortunately, it is really hard to do effective white-box testing. Tests are frequently written by the same person writing the code. If the developer is not security aware, he will not know what tests are needed. Furthermore, white-box testing is subject to poor discovery of security errors since many attacks involve multiple components or have specific timing not covered by unit testing.

A more popular approach to security testing is black-box testing. Black-box testing assumes you know nothing about how the "inside" of the application works. Your knowledge of the application is limited to seeing the application's input and output. This is the most common form of security testing, and is used by auditors, penetration testers, and hackers. The test(s) consist of modifying "normal" user input in an attempt to get the application to behave in an unexpected way.

Start with a Solid Foundation
An automated security scanning tool such as IBM Rational AppScan is a solid foundation for your testing efforts. IBM Rational AppScan performs security scans on Web applications and Web services implementations. The scanning engine continuously tests for security and compliance issues and provides actionable reports with fix recommendations. IBM Rational AppScan tests server-side functions and vulnerabilities by interacting with the application as a typical client (applications that use Flash and/or JavaScript are fully supported). AppScan tests Web services by acting as a SOAP client and provides tools for developers to manipulate inputs and evaluate the results.

IBM Rational AppScan classifies security vulnerabilities into high-, medium-, low-, and informational-severity levels. Each finding is described in detail and includes the URL that produced the result, a detailed description of the security risk, a recommendation for addressing the issue, and the raw request/response data. AppScan's delta analysis reports also let you know what changes have occurred from one scan to the next. The reported information includes what has been fixed, what has not and what new security issues have been introduced since the initial scan.

In addition to its many other capabilities, AppScan also eases regulatory compliance. AppScan generates over 40 out-of-the-box regulatory compliance templates and reports including California Assembly Bill No. 1950, Children's Online Privacy Protection Act (COPPA); Director of Central Intelligence Directive (DCID) 6/3; Electronic Funds Transfer; Payment Card Industry (PCI) Data Security Standards and so on.

Get Scanning
Performing a thorough Web application security assessment is a complex task which should be approached like any other software analysis--with a methodology, testing procedures, a set of helpful tools, skills and knowledge. Today's Web applications span over thousands of Web pages, and accept a vast amount of input from users, in many different locations. This requires going over each script and each parameter, and testing it for numerous possible security flaws. This tedious job of assessing security vulnerabilities can be greatly streamlined using automated tools such as IBM Rational AppScan.

More Resources

• IBM Rational AppScan
• AppScan Overview Demo
• IBM Rational Testing eKits