08 May 2009

What's the Scope for Accessibility Testing?

All forms of testing require a definition of scope. Testing accessibility requires the whole web page to conform—what does this mean for security?

I will presenting "Can an Accessible Web Application be Secure?" at OWASP AppSec EU09 in Kraków next Thursday. I will be showing the following diagram, based on a similar Venn diagram by Whittaker and Thompson 2003, demonstrates how the client's requirements and what the development team intend to build always differ. But the important thing is: what the application does is something else completely:

Venn diagram with three equally sized overlapping ellipses labelled 'What the client wanted', 'What the development team thought they built' and 'What the application actually does'

Many security vulnerabilities occur in the area describing what the application does, but wasn't intended to do. This gets more complicated when we consider a client who wants a usable website and perhaps conforming to a particular level of Web Content Accessibility Guidelines (WCAG) 2.0 (see also Security Implications of WCAG 2.0):

Venn diagram with five equally sized overlapping ellipses labelled 'What the client wanted', 'What the development team thought they built', Usable features', 'Accessible features' and 'What the application actually does'

What the application actually does is usually not fully known. If we want the whole web site to conform to WCAG 2.0 Level AA, what should be tested against the success criterion? The client's specified requirements, the developed product's documentation, or what the application does?

Fortunately WCAG provides information on conformance claims which states a claim can be for a single page, unless it is part of a complete process, in which every page of the process must conform at the specified level or better.

[A] process [is a] series of user actions where each action is required in order to complete an activity

Does then a single security vulnerability (i.e. additional undocumented functionality which is also not accessible) on a web page or the process, imply it cannot conform to any conformance level of WCAG?

The second Venn diagram above with the overlap between 'Accessible features' and 'What the application actually does' highlighted, and the remaining 'What the application actually does' highlighted

Therefore, methods used for security verification are necessary to have sufficient assurance of the conformance level. I believe the argument is very strong. What do you think?

Update 19th May 2009: See also Can An Accessible Web Application Be Secure? concerning my presentation at OWASP AppSec EU09.

Posted on: 08 May 2009 at 08:49 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

Comments

Comments are filtered automatically and should appear shortly after they been checked.

Post a comment
Confirm acceptance and understanding of the terms of use
New posts to this thread will be sent to your email address
What's the Scope for Accessibility Testing?
http://www.clerkendweller.com/2009/5/8/Whats-the-Scope-for-Accessibility-Testing
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/2009/5/8/Whats-the-Scope-for-Accessibility-Testing
Requested by 38.107.179.221 on Tuesday, 7 February 2012 at 21:37 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2009-2012 clerkendweller.com