Changing the QA Mindset for Rich Internet Applications

[article]
Summary:

Today's Rich Internet Applications (RIAs) bear about as much resemblance to the early Web sites of the 1990s as today's cars bear to a Model T. While the principle may be the same, the underlying technology is radically different. While safety testing for automobiles has improved significantly in the past hundred years, though, Web-application testing remains stuck in a 1990s mindset. In this week's column, Bryan Sullivan explains that QA must change its testing approach in order to maintain the security of the code.

Rich Internet Applications (RIAs) differ from traditional Web applications in that they offer more elegant and desktop-like user interfaces. With frameworks that include Ajax (Asynchronous JavaScript and XML), Adobe Flash/Flex, Microsoft Silverlight, and Sun JavaFX among others, RIAs allow the developer to create applications that can respond immediately to user input.  This can be done without forcing the user to wait through potentially lengthy round-trip calls to a server. The end result is an improved user experience that rivals a desktop application and with the zero-size footprint of a Web application.

RIAs are also different from traditional Web applications in that a significant amount of application processing can take place on the client machine, which is the source of the RIAs' performance improvements over traditional Web applications. RIAs are faster because much of their code is executed directly on the user's machine; this is a dramatic difference from the early days of the Web when browsers basically behaved like dumb terminals. Their only real purpose was to accept user input, send it to the server, and display the response. All of the real logic processing took place on the server; now, though, the capabilities of the Web browser have greatly expanded.

Virtually every modern browser has inherent support for JavaScript and, through browser add-ins, can run ActionScript (Flash), Java, and even .NET languages like C#. These full-fledged programming languages are capable of performing many of the same tasks as their counterpart code running on the server. Even Flash, which is sometimes thought of as being useful only to provide some graphical eye candy, can easily execute business-logic routines such as compilation of bills of materials or sales tax calculations.

About the author

Bryan Sullivan's picture Bryan Sullivan

Bryan Sullivan is a security program manager on the Security Development Lifecycle (SDL) team at Microsoft. He is a frequent speaker at industry events, including Black Hat, BlueHat, and RSA Conference. Bryan is also a published author on Web application security topics. His first book, Ajax Security was published by Addison-Wesley in 2007.

StickyMinds is one of the growing communities of the TechWell network.

Featuring fresh, insightful stories, TechWell.com is the place to go for what is happening in software development and delivery.  Join the conversation now!

Upcoming Events

Oct 12
Oct 15
Nov 09
Nov 09