Private: Checklist for QA teams to prevent top 10 privacy vs confidentiality risks in web applications
Best practices Auditability
7 mins read
October 29, 2021

Checklist for QA teams to prevent top 9 privacy vs confidentiality risks in web applications

Providing privacy and confidentiality for web applications is a task of quality assurance specialists too. Identifying the real-life risks and acknowledging legislation problems is the first step in solving such issues. We will go through the acute risks of web applications confidentiality, highlighting the possible solutions for each of them from the QA teams and developers’ side. 

photo
Kirill Chabanov

Risk #1: Web application vulnerabilities 

There are many types of web application vulnerabilities: security, privacy, and confidentiality aspects. 

How to check if a web application has vulnerabilities:

✅ Are regular penetration tests performed?
✅ Are the programmers trained regarding web apps security?
✅ Are there secure coding guidelines applied in the company?
✅ Is all the software up-to-date (server, DB, libs)?

How a QA tester can make sure that a web application doesn’t have such vulnerabilities:

✅ Perform regular penetration tests by independent experts

Risk #2: Operator-sided data leakage

How to check if a web application has data leakage:

Do the research and check the operator’s reputation and reliability
Audit them (before signing the contract or using it):
  • Paper-based audit (fair)
  • Interview-based audit (good)
  • On-site audit and system checks (best)

Risk #3: Insufficient data breach response

How to check if a web application has an insufficient data breach response:

✅  Incident response plan in place?
✅  Plan regularly tested (request evidence like a test protocol)?
✅  Computer Emergency Response Team (CERT) / Privacy Team in place?
✅  Monitoring for any incidents in place?

How a QA tester can work with an insufficient data breach response:

✅  Create, maintain & test an incident response plan
✅  Monitor all the time for personal data leakage and loss
✅  Notify data owners

Risk #4: Users consent to everything

How to check if a web application provides consent on everything:

✅  Is consent being aggregated or inappropriately used?

How a QA tester can work with an insufficient data breach response:

✅  It’s essential to collect consent separately for each purpose because not doing so can lead people to sign up without knowing what they are signing up for;
✅  Consent should be voluntary.

Risk #5: Non-transparent policies, terms, and conditions

How to check if a web application has non-transparent policies, terms, and conditions:

✅  Check if the policies are clear for non-lawyers;
✅  Check if the data processing is fully in the language of the users.

How a QA tester can check for non-transparent policies, terms, and conditions:

✅  Deploy W3C standard and provide Opt-out.

Risk #6: Insufficient deletions of personal data

How to check if the deletion of personal data can influence a web application:

✅  Inspect the data retention or deletion policies and agreements;
✅  Evaluate users’ appropriateness;
✅  Renew deletion protocols;
✅  Test processes for deletion requests.

Risk #7:  Insufficient data quality

How to check if a web application has insufficient data quality:

Make sure that all the data is correct and up-to-date;
Ensure if you can update personal data in the app;
Do regular validation checks, e.g., “Please verify your shipping address.” 
Ask the developers how long it is likely that data is up to date and how often it usually changes.

How a QA tester can check for insufficient data quality:

Provide an update form;
Ask users if their data is correct.

QA data quality is a key point of a robust testing strategy. We are happy to share a template so you can make and solidify yours.

image

Get a security-conscious testing strategy template

Risk #8: Inadequate or missing sessions expired

How to check if a web application has an inadequate or missing session expired:

✅  Is the log out button simple to find and promote?

How a QA tester can check for inadequate or missing sessions expire:

Configure to log out after X hours/days or user-defined automatically;
Obvious logout button.

Risk #9: The inability of users to get and modify data

How to check the users can’t get and modify their personal data:

✅  Check that the data can be accessed, changed, or deleted through your account settings;
✅  Verify that the company responds to access requests and other IT systems promptly.

How a QA tester can check if users can’t get and modify their personal data:

✅  Check  simple ways of accessing, changing, or deleting their data in a secure environment that’s protected by encryption algorithms so no one else can access it but them.

Bonus tips on preventing privacy risks in web applications

There are many more privacy and confidentiality risks that we could not omit: surveillance breaches, lack of control from authorities, etc. The quality assurance team is the one that must take action and work in sync with developers to avoid these risks.

It is hard to handle such type of work without proper tools – and AI-powered aqua cloud is the solution to help with quality assurance compliance, bug tracking, tests execution, and data migration. Identify the risks quickly and eliminate them efficiently with aqua.

Get a safe & efficient test management system

Try aqua
On this page:
See more
Speed up your releases x2 with aqua
Start for free
closed icon