Pen testing, vulnerability scans, and performance testing as they relate to the application you chose in the first assignment. Choose which you believe would be the most important for testing your software. Consider what your criteria are.
Two software applications that perform the type of test you have chosen.
Instructions
Consider your research and do the following:
Justify what you believe to be the most appropriate testing method by evaluating each type of test against at least 4 relevant criteria of your choosing.
Describe 4 criteria that are appropriate for selecting commercial software for the selected test type.
Justify your choice of testing software by comparing two commercially available solutions against each of your stated criteria.
This course requires the use of Strayer Writing Standards (SWS). The library is your home for SWS assistance, including citations and formatting. Please refer to the Library site for all support. Check with your professor for any additional instructions.
The specific course learning outcomes associated with this assignment are:
Evaluate application technologies and the security issues associated with them.
Define processes for ensuring web application security.
Full Answer Section
Most Important Testing Method: Penetration Testing
For ShopSphere, penetration testing is the most crucial. While all three methods have value, the e-commerce platform's sensitive data (customer information, payment details) necessitates a focus on actively uncovering and exploiting vulnerabilities. Penetration testing simulates real-world attacks, revealing weaknesses that automated scans might miss, such as business logic flaws. The potential impact of a security breach on ShopSphere's reputation and finances outweighs the higher cost and resource requirements of pen testing.
Criteria for Selecting Commercial Pen Testing Software:
- Vulnerability Coverage: The software should cover a wide range of vulnerabilities, including OWASP Top 10, SANS Top 25, and industry-specific threats.
- Reporting and Remediation: The software should provide clear, actionable reports with detailed information about identified vulnerabilities and guidance on how to fix them.
- Customization and Flexibility: The software should allow for customization of tests to target specific areas of the application and accommodate different testing methodologies.
- Integration: The software should integrate with other security tools and development workflows to streamline the testing and remediation process.
Justification of Pen Testing Software Choice:
Let's compare two commercial solutions: Burp Suite Professional and Kali Linux.
Choice: Burp Suite Professional
While both are powerful, Burp Suite Professional is chosen for ShopSphere due to its superior reporting and remediation features. The clear, actionable reports make it easier for developers to understand and fix vulnerabilities, which is crucial for a business application. Burp Suite's integrated vulnerability management also streamlines the remediation process. Although Kali Linux offers a vast toolset, it requires more expertise to consolidate findings and generate comprehensive reports, which might be less efficient for a business setting. For example, Burp Suite's "Intruder" tool allows for automated customized attacks to test for specific vulnerabilities, and its "Repeater" tool allows for easy retesting after fixes are implemented. Kali Linux, while powerful, requires manual configuration of various tools to achieve the same level of automation and reporting. This makes Burp Suite more suitable for ShopSphere's need for efficient vulnerability identification and remediation.
Sample Answer
Let's analyze penetration testing, vulnerability scanning, and performance testing for a web application and determine the most important testing method.
Scenario:
The web application chosen is an e-commerce platform called "ShopSphere," handling online sales, customer accounts, product catalogs, and payment processing.
Justification of the Most Appropriate Testing Method: