web application testing / risk assessment

pma111 used Ask the Experts™
Are there any standard sets of testing that would be mandatory if you have a web application that know through a re-design will soon attract far more traffic than it does at present. We use a SaaS application for one of our customer facing apps, and they are trying to push more customer interaction through the site/app than it offers at present, so therefore it will be handling more traffic and data. There are already some concerns around performance etc as is, so we want to ensure our risk teams are verifying the data owners have got some assurances from the suppliers that this will be fit for purpose once the new features of the app are made available to customers/service users. I will trying to find some form of skeleton plan for the basics tests/risks that we need to delve further on. Obviously all levels of the technology stack behind the application require assessment/consideration. Although I appreciate each application is different, there must be some standard broad level test categories that would consistent for all. I'm not sure what assurances we could get directly from the SaaS providers or how to construct the queries so any assistance of probing questions would be most useful.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Fractional CTO
Distinguished Expert 2018
Securing APIs is fairly easy.

1) Require authentication to use API services.

2) Block brute force login attempts.

My approach is using Fail2Ban (ports to all OSes) to camp on all application authentication logs looking for 3x failed password attempts over 1 hour window, then blocking the IP for 1x hour. Fail2Ban automates this process so there's no manual IP whitelisting/blacklisting time spent.

3) Also rate limit your API requests, else you may have clients writing faulty code which crashes your API or causes performance degradation, when code calls your API repeatedly... in a tight loop... from a machine with a fast Internet connection.
Make sure to:
• Review all cloud interfaces for security vulnerabilities.
• Implement multi-factor authentication.
• Require strong, complex passwords.
• Provide an account lockout feature after a certain number of failed access attempts.
• Configure alerts and notifications for security events.
• Implement effective and secure access management controls.
• Encrypt data at rest and in transit.
• Implement effective and secure appropriate identity and access management.
• Implement a data classification and information handling policy.
• Implement tools like data leakage prevention and SIEMs to monitor and detect classified data leaked from endpoints, web portals, and cloud services.
• Implement privacy by design.
• Anonymize personal data.
• Do not use components that you did not write (when practical).
• Establish policies regarding the use of third-party components in your software projects, such as selection criteria, required licensing provisions, testing, and maintenance practices.
• Know all of the third-party components and the versions your software uses, including all dependencies.
• Remove any third-party components that are present in the project, but not actually invoked at run-time.
• Monitor any vulnerabilities of third-party components you use, through issue-tracking and vulnerabilities databases, project mailing lists, and security mailing lists.
• If possible, include dependency checks into your build process, using a tool such as the free OWASP Dependency-Check project to quickly compile a list of a project's software dependencies and identify those with known vulnerabilities and exploits
• Refer to OWASP for a comprehensive list of recommendations.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial