A lot of people don’t think about the practice squads when it comes to professional sports. You know, the guys the starters play against day in and day out, but you never see? In the same way, a lot of people forget how important adequate testing is, not only for your user experience, but in regards to security. While it may not get all the glamour, without it you’re simply left guessing and hoping your application is safe and secure.
When we think about security we tend to think of back-end development, ensuring that we’re validating and sanitizing input, escaping output, utilizing CSRF tokens, and rotating session IDs. For others security means ensuring the environment is setup correctly with all the patches and correct INI directives. Making sure it is behind a solid firewall and that no critical server ports or applications can be accessed by the outside. The list goes on and on, but the one thing people hardly ever mention is testing.
After all, testing doesn’t really stop hackers from infiltrating your site, does it? Isn’t testing more of making sure the application works and things look right?
The truth is that testing is one of the more powerful tools we have in our arsenal to identify security issues, and get them corrected before they make it out to production. Not only can we use tools such as Selenium (seleniumhq.org) or Watir (watir.com) to go through the site and make sure the flows work correctly, we can use them to identify issues and failures within the code. Because when something doesn’t work right, that means the code is not interacting as intended, and that creates problems.
I remember one particular day I was rushed to get some code done, and knocked it out quite quickly. I ran through the application and everything functioned as I, the developer expected. So off to QA (Quality Assurance) it went, only to get sent right back. Apparently the quick fix I made had one slight problem; it didn’t validate the user’s access level, even if they were logged in. Inadvertently, in my local development environment I had created a backdoor into the admin panel, allowing anyone access to my dummy accounts. Imagine if that had made it to production!?
THIS IS A PREVIEW. DOWNLOAD ISSUE 9 TO READ THE FULL ARTICLE.