Skip to content

Page269

Synthetic Transactions

Synthetic transactions, or synthetic monitoring, involve building scripts or tools that simulate activities normally performed in an application. The typical goal of using synthetic transactions/monitoring is to establish expected norms for the performance of these transactions. These synthetic transactions can be automated to run on a periodic basis to ensure the application is still performing as expected. These types of transactions can also be useful for testing application updates prior to deployment to ensure the functionality and performance will not be negatively impacted. This type of testing or monitoring is most commonly associated with custom developed web applications.

The Microsoft TechNet article “Monitoring by Using Synthetic Transactions” describes synthetic transactions: “For example, for a Web site, you can create a synthetic transaction that performs the actions of a customer connecting to the site and browsing through its pages. For databases, you can create transactions that connect to the database. You can then schedule these actions to occur at regular intervals to see how the database or Web site reacts and to see whether your monitoring settings, such as alerts and notifications, also react as expected” [6].

Application Security Testing

Software testing can be considered a specialized subset of security control testing, focusing on the security of an organization’s applications. There are a variety of software testing methods. In addition to testing the features and stability of the software, testing increasingly focuses on discovering specific programmer errors that could lead to vulnerabilities that risk system compromise, including a lack-of-bounds checking.

Unlike off-the-shelf applications, custom developed applications don’t have a vendor providing security patches on a routine basis. The onus is on the organization developing the application to discover these flaws. Source code review of custom developed applications is one of the key approaches employed in application security.

Two general approaches to automated code review exist: static and dynamic analysis. The CISSP® also calls out manual code review, which simply implies a knowledgeable person reviewing the code manually. Pair programming, employed in agile software development shops, could be considered an example of manual source code review.