looking for Type of Security testing are dynamic and static analysis part of security testing? as QA tester do we need to know programming or coding language knowledge to perform security testing? at what phase of STLC or SDLC we can perform security testing?
type of security testing in web based application
153 views Asked by binitsql At
1
There are 1 answers
Related Questions in STATIC-ANALYSIS
- php Variable name must change in for loop
- register_shutdown_function is not getting called
- Query returning zero rows despite entries existing
- Retrieving *number* pages by page id
- Automatically closing tags in form input?
- How to resize images with PHP PARSE SDK
- how to send email from localhost using codeigniter?
- Mariadb max Error while sending QUERY packet PID
- Multiusers login redirect different page in php
- Imaginary folder when I use "DirectoryIterator" in PHP?
Related Questions in DYNAMIC-ANALYSIS
- php Variable name must change in for loop
- register_shutdown_function is not getting called
- Query returning zero rows despite entries existing
- Retrieving *number* pages by page id
- Automatically closing tags in form input?
- How to resize images with PHP PARSE SDK
- how to send email from localhost using codeigniter?
- Mariadb max Error while sending QUERY packet PID
- Multiusers login redirect different page in php
- Imaginary folder when I use "DirectoryIterator" in PHP?
Related Questions in SECURITY-TESTING
- php Variable name must change in for loop
- register_shutdown_function is not getting called
- Query returning zero rows despite entries existing
- Retrieving *number* pages by page id
- Automatically closing tags in form input?
- How to resize images with PHP PARSE SDK
- how to send email from localhost using codeigniter?
- Mariadb max Error while sending QUERY packet PID
- Multiusers login redirect different page in php
- Imaginary folder when I use "DirectoryIterator" in PHP?
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Popular Tags
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
For the best results, automated testing should be performed as code is being written. Programmers should continuously test using static and dynamic code analyzer plug-ins in their IDE. If the developers are presented with a ream of findings just before deployment, remediation will be problematic. The sheer volume of errors will be daunting; the number of false positives and insignificant findings will obscure the true positives. Moreover, the code will not be fresh in the minds of the development team. Many developers will have moved on; those that remain on the project may not be familiar with code written by their departed colleagues.
I recommend Chess and West's Secure Programming with Static Analysis. See also the discussion at Building a web application security focused team and Effectiveness of Interactive Application Security Testing The latter makes the argument for how interactive analysis demonstrates to the developer that the weakness is a real threat; showing how the code is exploitable makes it hard to shrug off the finding as just another false positive.
Static analysis testing of software source code is necessary but not sufficient. Of the nearly 1,000 entries in MITRE Common Weakness Enumeration, 40 percent can be introduced in the architecture and design phase of the development life cycle. See CWE-701: Weaknesses Introduced During Design at https://cwe.mitre.org/data/lists/701.html
By their very nature, architectural and design flaws are difficult to find via static analysis. Furthermore, fixes to architectural and design errors can be complex, can inject additional defects, and can alert adversaries to the existence of these weaknesses. Moreover design flaws can obscure coding bugs that static analysis might otherwise detect, as demonstrated by the Heartbleed vulnerability.
The more you know about programing and the language and frameworks used, the more effective you will be in helping the developers prevent errors. The more you know about programing and the language and frameworks used, the more effective you will be in helping the developers prevent errors.