Problem Statement: Applications Security Testing (AST)

Financia Pvt. Ltd. has just ended up the development of his web based application. The product has gone through with rigorous inspections, reviews and functional tests. They are projecting that this application will be used by millions of end users. As part of stringent quality standards, they have to do the security test of their application. The testing team has no prior experience of performing any security related testing but the technical lead is emphasizing to perform SQLi before any other security related testing.

Since the testing team has left with limited time therefore they have decided to go with hit and trial. For doing Penetration testing, they are planning to conduct SAST with Insider, a very popular security testing tool. The test lead has asked his assistant to check possible vulnerabilities of the web server while doing SAST.

The team was successfully able to inject some malicious SQL script through the applications interface.

Required:

1. [02 marks] After reviewing the above scenario, highlight the mistakes which have been made by the testing team.
2. [01 marks] If you had been the part of management what would have your decision related to AST?
3. [01 marks ] Which type of testing Financia Pvt. Ltd. is missing out other than AST?
4. [01 marks ] How will the developers make sure to avoid/stop the SQLi?