SPI Dynamics - Tomorrow's Technology Today - Application Security - An Approach to Testing Web Application Security

Conclusion: Testing Web applications for security defects is now considered a necessary part of the development process. However, none of the traditional methods of automated security testing provides comprehensive security coverage and accurate results for Web applications. While source code analysis is capable of finding insecure programming practices that have potentially rendered the code vulnerable to malicious attacks, it can be limited by the types of languages that have been utilized in crafting the Web application and can only find potential vulnerabilities rather than actionable results. While black box testing techniques are beneficial because they eliminate language dependency and the need for parsing the source or binary code into an analyzable form, they are also limited by the fact that do not have access to the source code, and if unable to "guess" where some pages or files are located, can provide a false sense of security by producing numerous false negatives. Only an approach that combines the strengths of both source code analysis and black box testing can be used to produce secure Web applications. This hybrid analysis approach can provide broad code coverage, identify all points of input to an application, track data as it moves through an application, and then validate the vulnerabilities it does find, ultimately resulting in more accurate results. Developers should look toward hybrid analysis tools that combine the depth of source code analysis with the accuracy of black box testing to help them secure code more easily and confidently.