Risk #1: Web application vulnerabilitiesĀ
There are many types of web application vulnerabilities: security, privacy, and confidentiality aspects.Ā
How to check if a web application has vulnerabilities:
ā Ā Are regular penetration tests performed?
ā Ā Are the programmers trained regarding web apps security?
ā Are there secure coding guidelines applied in the company?
ā Is all the software up-to-date (server, DB, libs)?
How a QA tester can make sure that a web application doesn’t have such vulnerabilities:
ā Perform regular penetration tests by independent experts
Risk #2: Operator-sided data leakage
How to check if a web application has data leakage:
ā Do the research and check the operator’s reputation and reliability
ā Audit them (before signing the contract or using it):
- Paper-based audit (fair)
- Interview-based audit (good)
- On-site audit and system checks (best)
Risk #3:Ā Insufficient data breach response
How to check if a web application has an insufficient data breach response:
ā Ā Incident response plan in place?
ā Ā Plan regularly tested (request evidence like a test protocol)?
ā Ā Computer Emergency Response Team (CERT) / Privacy Team in place?
ā Ā Monitoring for any incidents in place?
How a QA tester can work with an insufficient data breach response:
ā Ā Create, maintain & test an incident response plan
ā Ā Monitor all the time for personal data leakage and loss
ā Ā Notify data owners
Risk #4: Users consent to everything
How to check if a web application provides consent on everything:
ā Ā Is consent being aggregated or inappropriately used?
How a QA tester can work with an insufficient data breach response:
ā Ā Ā It’s essential to collect consent separately for each purpose because not doing so can lead people to sign up without knowing what they are signing up for;
ā Ā Consent should be voluntary.
Risk #5: Non-transparent policies, terms, and conditions
How to check if a web application has non-transparent policies, terms, and conditions:
ā Ā Check if the policies are clear for non-lawyers;
ā Ā Check if the data processing is fully in the language of the users.
How a QA tester can check for non-transparent policies, terms, and conditions:
ā Ā Deploy W3C standard and provide Opt-out.
Risk #6: Insufficient deletions of personal data
How to check if the deletion of personal data can influence a web application:
ā Ā Inspect the data retention or deletion policies and agreements;
ā Ā Evaluate usersā appropriateness;
ā Ā Renew deletion protocols;
ā Ā Test processes for deletion requests.
Risk #7: Ā Insufficient data quality
How to check if a web application has insufficient data quality:
ā Make sure that all the data is correct and up-to-date;
ā Ensure if you can update personal data in the app;
ā Do regular validation checks, e.g., “Please verify your shipping address.”Ā
ā Ask the developers how long it is likely that data is up to date and how often it usually changes.
How a QA tester can check for insufficient data quality:
ā Provide an update form;
ā Ask users if their data is correct.
QA data quality is a key point of a robust testing strategy. We are happy to share a template so you can make and solidify yours.
Get a security-conscious testing strategy template
Risk #8: Inadequate or missing sessions expired
How to check if a web application has an inadequate or missing session expired:
ā Ā Is the log out button simple to find and promote?
How a QA tester can check for inadequate or missing sessions expire:
ā Configure to log out after X hours/days or user-defined automatically;
ā Obvious logout button.
Risk #9: The inability of users to get and modify data
How to check the users can’t get and modify their personal data:
ā Ā Check that the data can be accessed, changed, or deleted through your account settings;
ā Ā Verify that the company responds to access requests and other IT systems promptly.
How a QA tester can check if users can’t get and modify their personal data:
ā Ā CheckĀ simple ways of accessing, changing, or deleting their data in a secure environment that’s protected by encryption algorithms so no one else can access it but them.
Bonus tips on preventing privacy risks in web applications
There are many more privacy and confidentiality risks that we could not omit: surveillance breaches, lack of control from authorities, etc. The quality assurance team is the one that must take action and work in sync with developers to avoid these risks.
It is hard to handle such type of work without proper tools ā and AI-powered aqua cloud is the solution to help with quality assurance compliance, bug tracking, tests execution, and data migration. Identify the risks quickly and eliminate them efficiently with aqua.
Get a safe & efficient test management system
