A software company that develops software and web applications always has a testing department or QA team (quality assurance) that constantly checks the software and web applications developed by the company to ensure that the products Works as expected and without errors. Large companies invest hundreds of thousands or even millions of dollars to automate some testing processes and ensure high quality products.
Web applications still have many bugs
So how are websites and web applications still being hacked every day? For example, in April 2013, a vulnerability that allowed hackers to remotely execute malicious code on a victim’s web server was identified in the two most popular WordPress hosting plugins. Why is this type of error (also known as a development bug) exploiting a client’s enterprise data and business at risk not detected by the inspection department or the QA team?
Only check the functionality of the web application
Although software companies have components that identify functional failures, most do not have any security flaws. In fact, as the developer adds a button on the web interface, the button’s functionality will usually be recorded so that the tester can test the functionality of the button. However, there is no process to check the function under the button and check if that button is compromised and exploited. This is mainly because many companies still have a functional distinction (QA) and security checks or management departments have not clearly envisioned the implications that security issues when exploited can greatly affect. to the customer’s business activities.
Web applications should be tested for vulnerabilities throughout the development lifecycle
Security testing of web applications and software must be included in the software development life cycle (SDLC) with the QA checked as usual. If a security hole is found at a later stage, or by a customer, it is annoying to the customer and it will also cost the customer more to fix the vulnerability. Therefore, developers will perform unit tests when they code a new function, so the testing department should also check and confirm that this new function is safe and untenable.
Typically, developers also say that they follow code rules but when completed, they should also test their code multiple times and the company should still invest money and build a code re-testing department. them, so why not check their code for web application vulnerabilities? Unless the developers are experienced hackers, their code will never be released unless it has passed an appropriate security audit.
After all, a security hole is like a common software bug. For example, a field on a web application that allows the user to enter a name and limit text entry only. Testing department will check the input data is only text and stored successfully. In other cases, check if the data is a special character or not, or if the encrypted data is executed on a web application. If so, it is a security error.
Specifically, we use a special character string as follows: </script> alert (1); </script>. In the case of special data entry checks, if this encrypted data is executed on a web application, it will display a popup alert as follows: 
=> This is a security error
Automatically Scanning for Web Application vulnerabilities
The QA team can use secure scanning web applications to detect loopholes in the code. Web application security scanners automatically allow users to detect vulnerabilities in web applications even when they are not security experts. Such software helps developers understand vulnerabilities and train them to write more secure code in the future. By automating web application security testing, you also save money, time, and ensure no vulnerabilities are found.
EXAMPLE: One of the most commonly used scan application scanning tools today is OWASP Zed Attack Proxy (ZAP) ZAP is a free and popular tool maintained by hundreds of thousands of volunteers. all around the world. It is a useful tool when checking security manually because it helps us to find security holes on the website automatically. See more specific usage at: https://viblo.asia/p/zap-tool-cho-nguoi-moi-bat-dau-naQZRxrd5vx
Develop safe software and web applications
As we have seen there are enough reasons and advantages that security checks should be made with functional testing. You can never assume that a web application is secure, the same way you can never assume that the application works properly, which is why companies invest in QA teams. After all, the web application flaw is a normal software function bug!
The security test is the most important test for an application and checks whether the confidential data is actually kept secret. In this type of testing, the tester will play the role of a hacker and exploit possible vulnerabilities around the system to find security related errors. Security test plays a very important role in software engineering to protect data in every way.
Reference source: https://www.netsparker.com/blog/web-security/web-application-security-tests-included-in-functionality-qa-tests/