Web applications these days are so prevalent that its security testing should be always considered a high priority and planned accordingly instead of just a after-thought.
Michael Mullins has a good article over at Techrepublic.com on “Ask these key questions to test application security”. Besides stating the obvious – “Companies should conduct application testing from both an authorized user’s and an unauthorized user’s perspective. This testing should include all systems that make up the application. The complexity of your testing should depend on whether the organization created the application or contracted a reputable vendor to do the work.” the author provided a good list of key questions to ask of designer and testers alike:
Scripting: Can you perform administrative functions remotely from the Internet? Could someone script an attack that overwhelms the application?
Enumeration: Is it possible to enumerate account information of other users?
Sessions: Have you based tokens on some easily re-created variable, such as sequential or time and date?
Error handling: Does your application reveal any useful information about the products used to create the application?
Field variables: Have you fixed SQL injection and buffer overflows that take advantage of system calls to unauthorized programs?
Code commenting: Have you cleansed HTML source code of all comments and metadata that doesn’t serve an end-user function?
Session time-out: Do sessions expire after a reasonable period of time?
Session cache: Does information expire to prevent someone from replaying a session?
Network parameters: Have you thoroughly documented ports and protocols and filtered them for content and source origination?
The Braidy Tester at Microsoft also offers an extensive list of things to look out for, including security: http://blogs.msdn.com/micahel/articles/175571.aspx. His list also included some major security exploits like SQL Injection.
But none of the two authors mentioned Cross Site Scripting, which is arguably gaining a lot of attentions lately. I will talk more about SQL Injection and Cross Site Scripting later.