Security Testing in Agile Web Application Development - A Case Study Using the EAST Methodology

(Research paper, 30 min) [ Slides ]

Author(s): Gencer Erdogan (CERN), Per HÃ¥kon Meland (Sintef) and Derek Mathieson (CERN)
Session: Testing: New approaches
Session chair: Johannes Brodwall (Steria)
Date: Thursday, 3 June 2010: Main Conference
Time: 13:30-15:00
There is a need for improved security testing methodologies specialized for Web applications and their agile development environ- ment. The number of web application vulnerabilities is drastically in- creasing, while security testing tends to be given a low priority. In this paper, we analyze and compare Agile Security Testing with two other common methodologies for Web application security testing, and then present an extension of this methodology. We present a case study show- ing how our Extended Agile Security Testing (EAST) performs compared to a more ad hoc approach used within an organization. Our working hy- pothesis is that the detection of vulnerabilities in Web applications will be significantly more efficient when using a structured security testing methodology specialized for Web applications, compared to existing ad hoc ways of performing security tests. Our results show a clear indication that our hypothesis is on the right track.

<< Back to the program