Editing

profileSashraf
cis_542_week_5_lab_5.docx

Running Head: LAB 5 1

LAB 5 7

Lab 5

Gretchen Greene

Nathan Stewart, PhD

May 8, 2017

Executive Summary

As with any new technology, risks can arise in e-commerce that is not common to those traditional “brick-and-mortar” stores. A huge concern for e-commerce applications is credit/debit card use. Major damage can be done to an organization if the credit/debit card transactions are not secured in terms of financial fraud, loss of consumer confidence, identity theft, or legal regulations.

Online Goodies provides custom promotional gifts to corporate customers and is an Internet-based company. Some of their products include mugs, computer accessories, t-shirts, and office décor. The majority of its income comes from online credit card purchase. They give their repeat customers a discount based on their annual purchase amount.

This report is to create a test plan for Online Goodies based on the OWASP standards. The report includes an overview and rationale of all of the tests performed including a brute force test, an authentication test, privilege escalation test, code injection test, and web application fingerprint test.

Table of Contents

Executive Summary……………………………………………………………………………….2

Table of Contents………………………………………………………………………………….3

Types of Test Being Performed…………………………………………………………………...4

Test Plan for Online Goodies Site According to OWASP Standards……………………………..4

Rationale for Testing Used………………………………………………………………………..4

References…………………………………………………………………………………………7

Types of Tests Performed

The least expensive way to reduce costs and risks and improve software quality is to catch deficiencies as early as possible. To understand the guidelines for testing the OWASP Testing Guide was used. The tests used in this plan are: Usability Testing, Unit Testing, Interface Testing, Integration Testing, Functionality Testing, Performance Testing, Security Testing, Authentication and Authorization Testing, Privilege Escalation Testing, and Web Application Fingerprint Testing.

Test Plan for Online Goodies Site

The purpose of his test plan is to ensure the Goodies site meets all of its business, functional, and technical requirements. The test plan describes the schedule of test activities, test plan strategy, activities, resources, and scope. This document will identify the features on the site to be tested, the testing tasks, the user assigned to each task, each testing environment, techniques, explanation of options, and risks.

Before actually testing the site, you have to create test cases. This is the sample data which will be used to go through the system. These can be created as soon as the requirements are received. Additional test cases should be created to test other aspects of the system due to its complexity.

Explanation of Testing

Usability testing is one of the most important aspects of building a website. Users are not going to take the time to try to use a website that is poorly designed. We are used to being able to adapt to a website quickly. Usability testing evaluates a website by having the users test it. Users testing the site verify controls and navigation is working properly.

White box testing is done by a full access user who has access to architecture documents and coding. The user with full access has the ability to do more in depth testing. This allows vulnerabilities and risks to be discovered faster than when testing using the black box method.

Unit testing tests the requirements. Each part of the program is tested separately to make sure it’s working properly. The earlier a bug is found the lower in cost it is to fix. Unit testing is part of White box testing and is done before integration testing.

Interface testing tests the communication between different software systems. This testing checks to ensure end-users are able to use the system without any problems. It also checks to see that the system is user-friendly. Interface testing also verifies the application server can handle a network failure to the website should there be a problem.

Integration testing tests all units of the system together. Testing as a system often causes bugs to occur. Integration testing occurs after the unit testing has been completed and is part of black box testing. It checks features but also checks data flow between those modules and features.

Black box testing tests the system, design, and source code. The user’s point of view helps expose discrepancies in the specifications. The goal is to ensure the application works. Integrations, system, and acceptance testing make up black box testing.

Functionality testing tests business requirements of the application. Functionality testing covers the functional part of the application like integration of search and data manipulation. Functional testing is done to make sure invalid negative test results and erroneous inputs are generated. Features that are checked are homepage, information, terms, privacy policy, returns, and about pages.

Security testing checks the site for vulnerabilities and unauthorized access. Online Goodies accepts credit card payments making security a high priority. The security testing will use the six basic concepts which are: confidentiality, integrity, authentication, availability, authorization, and non-repudiation. The website will need comprehensive security testing to ensure everything is secure to protect customers’ information.

Web application fingerprinting tests for popular vulnerabilities attacking applications and web servers. This type of testing is important for penetration testing. The fingerprint will show what information is available in a possible attack.

Privilege escalation testing is used to ensure account access controls are working and used properly. It exploits a bug or design flaw to hack the system and get user access with elevated access which should normally be protected from the user. This is a form of penetration testing.

References

Chavhan, A. (2016). What is Walkthrough in Software Testing? Retrieved from:

http://www.softwaretestingandistqb.com/what-is-walkthrough-in-software-testing/

OWASP. (2013). Handling E-Commerce Payments. Retrieved from:

https://www.owasp.org/index.php/Handling_E-Commerce_Payments

OWASP. (2013). Improving Web Application Security: Threats and Countermeasures.

Retrieved from: http://msdn.microsoft.com/library/default.asp?url=/library/en-

us/dnnetsec/html/ThreatCounter.asp

E-commerce Special Interest Group PCI Security Standards Council. (2013). Information

Supplement: PCI DSS E-commerce Guidelines. Retrieved from:

https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_eCommerce_Guidelines.pdf