Software Testing Versus Website Vulnerability and Security Assessments
Differentiating between software testing and security assessments can be difficult. Generally, software testing is a much broader set of procedures than website security assessments. In many cases, software testing includes an assessment of website security as a subset of the overall testing process.
Software testing often includes, at minimum, the following checks of the application:
-
Meets the initial design requirements provided by the party requesting the application; referred to as verification and validation
-
Operates as expected and without any errors
-
Can be implemented so that it does not cause issues with other applications it may integrate with; referred to as compatibility
Depending on the software development life cycle methodology used, there can often be additional steps or phases in the testing process.
This chapter focuses on assessing the security of a specific type of application, a website, and its various parts and pieces. Websites typically consist of four elements:
-
Web server software, such as Microsoft’s Internet Information Services or Apache HTTP Server
-
A hardware server and operating system that the web server runs on
-
A software application that uses the web server to collect or distribute information
-
A database that stores the information being used by the application and/or web server
A common implementation of these website elements involves three tiers or layers of hardware and software. These layers consist of a presentation tier with the web server and its hardware, an application or logic tier with the software application and its hardware server, and a database tier that includes the database software and its hardware server. Although these three tiers are often implemented on physically separate hardware servers for optimal security, they represent logical parts of the overall website platform. In situations where software capability does not support three separate servers, or where budget might not allow for multiple servers, the tiers can be installed together on shared servers.