Page 110 - SOFTWARE TESTING & QUALITY ASSURANCE
P. 110
Unit 7: Documentation and Security Testing
Any unprotected data that is available for other users is called latent data. It is the responsibility of the
tester to assess whether or not any such latent data can cause security vulnerability. If yes, then
necessary measures have to be taken to prevent it from occurring.
A tester who is very well aware of the security vulnerabilities of the system can
provide vital information to computer forensics to know exactly how the software
security could be breached. This helps to find out the possible ways an attacker
could have carried out the attack.
National Widgets Website Security Problem
N
ational widgets wanted to build a Web site for its users, and it approached Front End
Associates to develop a Web site for them. Front End Associates developed a highly
impressive Web site for National widgets.
National widgets deployed the Web site developed by Front End Associates and for about 18
months the Web site operated without any problem. However, some of the employees of National
Widgets raised security concerns in the Web site. National Widgets brought the issue to Front End
Associates’ notice and asked them to fix the problem for free. However, the Front End Associates
were not ready to fix the problem for free and did not respond to National widgets’ request
properly.
Later, Front End replied to National Widgets saying that there were no security problems in the
software that they had developed. It also justified its stand by saying that they had hired Web site
security testing experts to carry out security tests on the software and provided a detailed report.
National widgets decided to verify the test reports that the team of testing experts had prepared
after testing the Web site. National widgets had to take the support of its lawyers to view the test
report which was with the Front End. After analyzing the report it was noticed that they had not
conducted an effective testing of the software. The company that Front End hired to perform
security testing had simply run a few scanning tools to check for minor issues in the software. They
did not perform an effective testing to find security vulnerabilities in the software.
National widgets planned to conduct an independent testing of the software and assembled a
group of experts to carry out the test. For this, National widgets asked Front End to provide the
source code of the Web site that Front End had developed for them. However, Front End refused to
give the source code to National Widgets, saying it will cause copyright issue. National widgets,
with the help of law, was able to decompile the code and perform a code review. After a thorough
testing of the software, more than six serious problems related to security were found. These
problems were due to poor design that Front End had adopted during the initial stages of Web
page development. The problems were so severe that it required both time and cost to make
necessary changes. Therefore, National widgets raised a request to Front End to fix the problem
without any additional cost. However, Front End partially acknowledged the defects in the Web
page, but was not ready to accept the mistake completely. This became a legal issue and both the
companies went to court to solve the dispute.
This problem had a direct impact on both the companies. The companies lost lakhs of rupees by
paying legal fee, productivity was hindered, and reputation was damaged. Along with this, both
the companies had to spend huge time and money for answering each other’s queries, producing
documents, re-testing of the software, and trial. Even though Front End was the most affected in
terms of loss of revenue and reputation, National widgets also saw some setbacks due to this issue.
Questions
1. What was the problem that National faced and what was the reason behind it?
2. Do you think Front End was responsible for developing such a Website? Justify.
Adapted from
http://www.owasp.org/index.php/Secure_software_contracting_hypothetical_case_study#Conclusions
LOVELY PROFESSIONAL UNIVERSITY 103
