They can then relate the cost of insecure software to the impact it has on the business, and consequently develop appropriate business processes and assign resources to manage the risk.
Remember that measuring and testing web applications is even more critical than for other software, since web applications are exposed to millions of users through the Internet. During the development life cycle of a web application many things need to be tested, but what does testing actually mean?
The guide gives a broad view of the elements required to make a comprehensive web application security program.
This guide can be used as a reference guide and as a methodology to help determine the gap between existing practices and industry best practices.
As a result of this, many outsiders regard security testing as a black art.
The aim of this document is to change that perception and to make it easier for people without in-depth security knowledge to make a difference in testing. This document is designed to help organizations understand what comprises a testing program, and to help them identify the steps that need to be undertaken to build and operate a testing program on web applications.
Many industry experts and security professionals, some of whom are responsible for software security at some of the largest companies in the world, are validating the testing framework.
This framework helps organizations test their web applications in order to build reliable and secure software.
In the security industry people frequently test against a set of mental criteria that are neither well defined nor complete.Interestingly, they estimate that a better testing infrastructure would save more than a third of these costs, or about billion a year.More recently, the links between economics and security have been studied by academic researchers.The aim of the project is to help people understand the what, why, when, where, and how of testing web applications.The project has delivered a complete testing framework, not merely a simple checklist or prescription of issues that should be addressed.
Readers can use this framework as a template to build their own testing programs or to qualify other people’s processes.