Smart Contracts

Updating Solidity code and Testing a Smart Contract

Books on the Blockchain

Publica Self Publishing

Goodbye Contracting

Hello brave new old world...

Ruby-Selenium Webdriver

In under 10 Minutes

%w or %W? Secrets revealed!

Delimited Input discussed in depth.

Friday, 4 March 2011

Security testing noobs and OWASP Breakers

I’ve said it before but one area of testing that functional/system type testers really neglect is Security Testing.

The neglect comes in two forms, one is thinking they know stuff when in fact they don’t. Most will rattle off SQL injection as the security test technique they know and it’s so ignorant and arrogant it makes my blood boil.

The second form is assuming security testing is the domain of rocket scientists types with PhD’s a l33t skillz in math. While true in some regards it isn’t the full story, just like SQL injection isn’t either.

If you’ve been in either camp I want you to stop before you do harm. The only way to do effective security test is the same way we do effective functional/system testing, diligent and consistent study and practice.

If like me the majority of your testing is against web sites and web applications then you need to head over to the OWASP website right away. That’s the ‘Open Web Application Security Project’ and the website has a host of free information and guides you can learn from.

Check out Michael Coates blog too, he’s trying to get a more active community going and one group is the Breaker group. As a tester go sign up and start to interact with the security testing community.

Get your skills honed and add real security testing to your arsenal of testing types.

By the way, Injection is number 1 on the OWASP Top 10 Application Security Risks list. So well done on getting that one. Number 2 is Cross Site Scripting (XSS), do you know how to do that? Here’s a vector for you:

Only 8 more to go!