Friday, 4 March 2011

Security testing noobs and OWASP Breakers

I’ve said it before but one area of testing that functional/system type testers really neglect is Security Testing.

The neglect comes in two forms, one is thinking they know stuff when in fact they don’t. Most will rattle off SQL injection as the security test technique they know and it’s so ignorant and arrogant it makes my blood boil.

The second form is assuming security testing is the domain of rocket scientists types with PhD’s a l33t skillz in math. While true in some regards it isn’t the full story, just like SQL injection isn’t either.

If you’ve been in either camp I want you to stop before you do harm. The only way to do effective security test is the same way we do effective functional/system testing, diligent and consistent study and practice.

If like me the majority of your testing is against web sites and web applications then you need to head over to the OWASP website right away. That’s the ‘Open Web Application Security Project’ and the website has a host of free information and guides you can learn from.

Check out Michael Coates blog too, he’s trying to get a more active community going and one group is the Breaker group. As a tester go sign up and start to interact with the security testing community.

Get your skills honed and add real security testing to your arsenal of testing types.

By the way, Injection is number 1 on the OWASP Top 10 Application Security Risks list. So well done on getting that one. Number 2 is Cross Site Scripting (XSS), do you know how to do that? Here’s a vector for you:


Only 8 more to go!

Mark.

7 comments:

Kashif Ali Habib said...

Nice post Mark,

OWASP(open source web application security project)is quite useful reference for security testing, its latest 2010 top 10 vulnerabilities are quite helpful.

Anonymous said...

I am a new guy! I like here!

Anonymous said...

Whats up clever points.. now why did not i think of these? Off topic barely, is this web page sample merely from an unusual set up or else do you utilize a personalized template. I take advantage of a webpage i’m seeking to improve and well the visuals is probably going one of many key things to complete on my list.

Anonymous said...

Nice and thanks!

Anonymous said...

THX for sharing

Anonymous said...

Nice Post. This enter helped me in my college assignment. Thnaks Alot

Anonymous said...

A person essentially help to make seriously posts I would state. This is the first time I frequented your website page and thus far? I surprised with the analysis you made to create this actual submit incredible. Great activity!
Excellent website. A lot of helpful info here. I¡¦m sending it to a few buddies ans additionally sharing in delicious. And naturally, thank you in your effort!
hi!,I really like your writing so a lot! percentage we communicate extra approximately your post on AOL? I need an expert in this space to unravel my problem. May be that is you! Having a look forward to see you.