Privacy and Security

Browser Standards and Web Application Security as Part of QA

While I agree with the suggestion of Richard Mayo to support current and -1 versions of popular browsers, my concern is a bit more generic with a security twist. I had this problem a few years ago with a government e-commerce web app called WAWF, managed by DISA. Here were my concerns then:

I was helping my father with a long-term problem he was having with this new electronic proposal and payment system. Unlike the previous system, which was platform and browser agnostic, this WAWF system exclusively supports Internet Explorer 6 and 7. I found this to be disturbing not only because it reflects a reduced capability for the small and medium business end users, but also forces a proprietary vendor solution which used to be a violation of acquisition policy. In addition, it forces the very solution against which the Federal Department of Justice sued Microsoft in 1998 for anti-competitive practices. The following items are a short summary of the major web application and minor web page issues:

• WAWF supports only Internet Explorer 6 and 7 (no Firefox, Safari, Linux or Mac OS X support)

• WAWF requires ActiveX Controls to operate (any client-side script execution is security-adverse, but ActiveX is Microsoft proprietary and the subject of many recent security concerns)

• WAWF requirements definition link on website is only viewable via IE (ie, you can't verify your HW/SW requirements unless you already comply)

• Saving interim progress in completing forms is not possible under current application implementation, forcing users to begin anew if any interruption or failure occurs).

There are minimum standards which enable any modern browser to adequately access a web site and its content. Poor acquisition requirements allow the current "IE only" (and often version-specific) government applications to proliferate. Forcing users to run the arguably most insecure browser variants is not only ridiculous, but also can be grounds for legal and administrative actions. In addition, the applications need to have web application security checks throughout the life-cycle, from development through deployment. Several free open source and commercial products are available, with the OWASP.org community documenting security vulnerabilities.

Tags

Voting

4 votes
Active
Idea No. 166