The Importance of changing QA mentality for Rich Internet Application (RIA) Security

Rich Internet Applications (RIA) offer crisper desktop UI’s in comparison to traditional web apps. RIAs come with the frameworks such as Flash, Silverlight, Ajax etc. that allow developers to create incredibly responsive apps. The user does not have to wait for long server calls, which results in a smooth user experience that makes it seem to look like a desktop app, but with the low memory burden of a regular web app.

For RIAs, a lot of the app processing takes place on the client device, and therefore RIAs are faster as their code is mostly executed on the local machine. This takes a significant processing load off the server.

On the server, code processing takes away from the performance and slows down websites and apps, and bandwidth is needed for accepting requests and sending responses. Pushing all of these functions to the client device would make the server itself faster and more reliable.

But there’s one problem with taking this kind of road to security.

Let’s go through this in greater detail

The chief security concern is potential hacking of the app source code during execution. Any hacker can pair up a debugging utility with a web browser’s RIA element, and conduct an almost seamless attack on the code. The code that runs at the client level is not under the purview of the developer at all, and even the teams in the organization that own the code do not have any kind of control over it.

The same debugging utilities can be used to completely alter the side-logic of the client machine. Some code statements can be skipped or executed in any order the hacker desires. Values of variables can be changed according to the hacker’s whims, limits on input can be done away with entirely, and other unpleasant commands that the hacker feels like playing around with can be done. The owners of the code are helpless in such a scenario because the code is executed on the client machine. And to reiterate, the code that’s running on the client cannot be checked by the teams who own it. They have no recourse to confirming that the code is run in the way that they originally intended it to run, or even if that same code is executed in the first place.

The importance of QA and Concluding Thoughts

On the client tier, executing business logic is something that would naturally tempt any coder because of the inherent performance advantages over the server. However, because of the security issues discussed above, doing something like hacking obviously entails enormous business risks.

Therefore, it’s imperative that every QA plan for RIAs, guarantees the absence of business logic (bank accounts, customer details, travel plans, loans, etc.) in client code, and that it consists of only presentation logic.

QA teams cannot, in this day and age, continue relying on web browsers as their only RIA testing platform. Now they pretty much have no choice but to closely inspect the nitty-gritty details of the RIA client elements to make sure that the code is entirely free of any hint of business logic. With regard to JavaScript, this process might necessitate the procurement of external script source files. For Silverlight and Flash apps, the teams would need to decompile the DLL or SWF files.

All in all, QA teams must view the source code and dissemblers as part of their domain of professional responsibility. In prior eras, QA teams really didn’t have much of the need to conduct such actions while they tested older traditional web apps, but now the presence of RIAs has greatly increased the range of the responsibilities that the organizations have to undertake. They can’t just rely on simple manual app testing via web browsers.

Cigniti has a decade of expertise in enabling independent testing services, and its team is ahead of the curve in imbibing new technologies. It has developed new frameworks to deliver comprehensive and the best fit testing approaches for the clients and our QA teams are well equipped with the testing knowledge of Rich Internet Application Security.