Business system applications are currently evolving at breakneck speed. This opens up exciting possibilities for companies of all sizes, but it also creates a range of new challenges.
As new ideas bring new innovations, the skills and tools needed to develop these solutions are also changing. This in turn creates room for more potential vulnerabilities in an application; it is common to observe greater vulnerabilities once an application has been updated, which generally calls for further evaluation of the solution. At this point, the new features will need to be tested, while the old features inherent in the application are re-evaluated to ensure that the new features don’t compromise the efficient functionality of already existing components.
Software testing is an integral part of the development process, no matter the model applied in software development, be it the Water Fall, or any of the Agile models. As well as checking for bugs, tests also need to verify that the basic functional requirements set out at the beginning of the project have been met.
The strength of a software test generally lies in the design of the test case. The test case / test script is a blueprint for how the test should be carried out. A poorly designed test script will ultimately constitute a poor system test; utmost care should be taken during this process, with clear and deliberate steps. A quality test script should be devoid of bloats, and should both consider the functional features of an application, and identify vulnerabilities that could jeopardize the security of a system.
The type of application under investigation will inform the test case design. For example, a web application may focus on validation of user inputs – allowing incorrect or invalid inputs into the system can be dangerous; hackers might exploit this form of vulnerability by using SQL injection to bring down the website. The following SQL query will expose a database admin password, for instance:
o;
Insert into pg_shadow(username,usesysid,usesuper,usecatupd,passwd)
Select ‘crack’, usesysid, ‘t’,‘t’,’crack’
From pg_shadow where usename=’postgres’;
–
The above script would reveal the superuser credentials to a hacker. o; would supply a valid offset to the original SQL query before terminating it, while – will force the SQL parser to ignore the remainder of the query originally written.
It’s vital to ensure that applications are tested for various vulnerabilities; a test should certify that inputs are properly validated to maintain security within an application.
A developer can utilize the following JavaScript code to validate email addresses keyed into a web form:
Function testForm()
{
var x=document.forms [“myForm”] [“email”].value;
var atpos=x.indexOf (“@”);
var dotpos=x.lastIndexOf (“.”);
if (atpos<1 || dotposx.length)
{
Alert (“ this is not a valid email address”);
Return false;
}
}
A system test that validates all these possible vulnerabilities as well as the functional parts of a solution is key.
Source: http://www.business2community.com/tech-gadgets/creating-a-software-testing-framework-that-works-for-your-business-0573789