Monday 11 January 2016

Manual vs Automated Web Application Testing

Three different approaches to web application testing can be adopted; automated, manual or a combination of both – however the outcomes, given a typical web application, are likely to be very different both in terms of coverage and cost, but most importantly in terms of the level of assurance obtained.

Agility's standard methodology utilises the combined approach, providing an efficient and effective service attaining a high level of assurance in the most cost and time effective manner.

Level of Assurance

Automated web application vulnerability assessment tools have the ability to efficiently identify some categories of technical vulnerabilities, such as the most simple forms of common web vulnerabilities including some SQL injection and Cross-site scripting, and typically identify only well known vulnerabilities.

More complex vulnerabilities, for example those related to or dependant upon application logic, or flaws in security functionality design (such as authentication and authorisation) are not readily identified using automated techniques and require a manual testing approach.

Other web application testing tools, designed to assist a manual tester, can greatly increase the efficiency of testing by automating a series of steps, or performing hundreds or thousands of iterations of a transaction under the guidance of the manual tester therefore achieving results that would otherwise be impractical.

AgilityIS therefore utilise a combination of these methods that is invariably the most appropriate approach. All our testing is manually led, first gaining an understanding of the application logic and then selecting the most appropriate tools to assist in the testing of the web application.

Using automated vulnerability assessment tools alone would lead to a false sense of comfort, with real issues going unidentified. The more intricate vulnerabilities that remain would ultimately be the ones that are most likely to be exploited to real effect, leading to the compromise of information or fraudulent transactions.

Manual testing alone would not be exhaustive enough and could lead to areas of vulnerability remaining undiscovered, particularly where multiple iterations are required to identify patterns in the applications behaviour that may be exploited.

By using a combination of manual testing techniques and automated tools testing is both efficient and effective. By testing from an informed position using this combined approach we can provide you with the highest level of assurance in the most cost and time effective manner.

Operational Impact

As well as the differing levels of assurance obtained when considering the relative merits of automated and manual web application testing, there are some further points that should be taken into account particularly around the risks associated with performing the different types of tests.

There are inherent risks associated with automated testing. Because it is impossible for an automated tool to view a given function in its complete context, testing any function which results in a change in application state or data could result in a loss of or damage to data, or erroneous data being stored or processed by the application.

Manual testing uses a number of strategies to dramatically reduce the risk of such events occurring. Most significantly, functions are subjectively analysed under ‘normal use’ scenarios before testing commences. This enables the tester to understand the full context and effect of a function. Testing can then be tailored for the specific function.

Manual testing is also able to identify the same vulnerabilities using a significantly reduced number of requests by analysing responses in a more intelligent manner. This greatly reduces the number of erroneous transactions, and permits the tester to keep track of transactions made during testing so that administrators can reverse them later.

Threat Defence

Finally, consideration needs to be given to which threats you are trying to protect against, and this may well vary depending on the application and its use.

An automated scanner will help in defending against automated attacks, making your application a less interesting target compared to other less well defended sites. However, it will not deter a more focused attacker who will look for more complex ways to exploit your infrastructure.

Agility commonly find sites that are vulnerable to exploits such as Cross-Site Scripting which allow an attacker to embed code within a website that subsequently allows the attacker to directly target genuine users of the website. These users are unaware that pages rendered in their browser may be malicious, even though they appear to come from your trusted website. Such exploits harvest user supplied information, may prompt for passwords and so on, and all the information is passed back to the attacker.