The test phase is the final stage involving safety checks prior to the release of the product. Check if the security functions in the requirements analysis and design stages meet the expected target, and verify if all security issues found in the development phase are solved.
Safety test should be independent of the audit. Compared with code audit, safety test has two advantages: first, if some code logic is relatively complex and code audit is not sufficient to identify the problem, safety tests can come in handy; second, safety test can detect logical vulnerabilities quickly.
Safety test is generally divided into automated tests and manual tests. Automated tests are used for macro level testing, such as for identifying vulnerabilities using a web security scanner.
Currently web security scanner is a well-established method for detecting XSS, SQL Injection, Open Redirect, PHP File Include, and so on because detection of these vulnerabilities is mainly based on the characteristics of the returned strings.
For vulnerabilities like unauthorized access, CSRF, and file upload, automatic detection is not always effective, because these are based either on system logic or business logic; sometimes they also need human–computer interaction to participate in the page flow. So this type of vulnerability testing relies more on manual work.
The most widely used testing tool for web applications security is web security scanner. Traditional software security testing and fuzzy testing are rare in the field of web security testing. To some extent, web scan can also be regarded as a form of fuzzing.
Good web security scanners are IBM Rational Appscan, WebInspect, and Acunetix WVS. In free scanners, there are high-quality goods such as w3af, skipfish, and so on. Scanner performance, the rate of false-positives, nonresponse rates, etc, are the factors to judge a scanner. Through the contrast test between different scanners, you can pick out the most suitable scanner for an enterprise. At the same time, you can also refer to the following table published in a public review of the report, as well as the experience of the people in the same industry
Skipfish* is a web security scanner Google uses with its source code open: Skipfish’s performance is very good. Because it is open source and Google has used it successfully before, it would be a good choice of secondary development if a security team wishes to customize it to suit their needs.
After the security testing is complete, a safety test report needs to be generated. The report is not a scan report. In scan report there might be false-positives and omissions, so a scan report needs to go through a security engineer for final approval. An approved scan report combined with the result of manual testing will eventually form a safety test report.
Problems mentioned in safety test report need to be fixed by development engineers. After the vulnerabilities are fixed, iterated safety tests should be conducted to verify if the vulnerabilities have been fixed. The time required for these processes will be factored in the initial stage of project set up.