07-09-2014, 11:02 AM
One of the key security practices that need be in place in order to mitigate the increasing number of vulnerabilities in Web applications, is a structured security testing methodology. The nature of Web applications requires an iterative and evolutionary approach to development. Therefore, the structured security testing methodology needs to have the capability of being adapted to such an environment, and it needs to be specialized for Web applications. The most applied security testing methodologies today are extensive and are sometimes too complicated with their many activities and phases. By applying such extensive security testing methodologies in the realm of Web applications, developers tend to neglect the testing process because the methodologies are considered to be; too time-consuming, lacking a significant payoff and in appropriate to be applied on Web applications because they have a very short time-to-market. This can be regarded as one of the factors to why security testing often is executed according to the penetrate-and-patch paradigm. In this thesis, the author has shown that by using a structured security testing methodology especially developed for Web applications, leads to a significantly more effective way of performing security tests on Web applications compared to existing ad hoc ways of performing security tests. The factors that the author used to measure the efficiency were: (1) the amount to time spent on the security testing process,(2) the amount of vulnerabilities found during the security testing process and(3) the ability to mitigate false-positives during the security testing process.