Web Security Testing Cookbook

Main Menu

Finally, a plain-sense handbook for testers that teaches the mechanics of security testing. Belying the usability of the "recipe" approach, this book actually arms the tester to find vulnerabilities that even some of the best known security tools can't find.

Matt Fisher,
Founder and CEO Piscis LLC

Web Security Testing Cookbook

Fuzzing for Software Security Testing

Written by Paco Hope
Friday, 24 April 2009 02:52
I recently read Ari Takanen's Fuzzing for Software Security Testing and Quality Assurance. This is a valuable book on fuzz testing, and timely.
Read more...

It's not the firewall, stupid

Written by Paco Hope

Thursday, 12 March 2009 20:12

My friends over at Sticky Minds picked up a UPI article about Norm Coleman's campaign office being hacked into. It's a summary of an original article in The Hill. For many years we've been fighting this knee-jerk security reaction that if it's a "security" issue, it must be a "firewall" issue. The difference between these two articles just underscores that point.

The only "security" aspect of the UPI article is the fact that the word "firewall" is mentioned twice. I can think of a thousand ways that a campaign headquarters could get breached that would not involve the firewall at all. In fact, if they're taking donations over the Internet, they're probably doing so using a server that physically resides in a data center somewhere, not at the campaign HQ. And if data did get sucked out of campaign HQ computers, it's most easily done by getting a staffer infected with a virus or some malware. Nobody, but nobody, beats down the firewall these days. They trick you into running something you shouldn't, or they attack your applications (e.g., the web server where contributions are accepted).

The Hill's article gets this right. At least they don't get it wrong. They present some facts and don't misrepresent anything. The UPI summary dwells on the firewall, however, when it has limited space available for the article. It leads the lay reader to the conclusion that firewall breaches (a) happen, (b) are relatively common, and (c) were likely in this case. I see (and apparently the FBI sees) no reason to think that's the case here.

Security in QA is more than just exploits

Written by Paco Hope
Wednesday, 04 February 2009 19:47
I read a blog entry about "re-aligning training expectations for QA." It has some useful points that both developers and so-called "security people" need to hear. I disagree with some implicit biases, however, and I think we need to get past some stereotypes that sneak out in the article. Bias #1, obviously, is the focus on the web. Despite its omnipresence, there is more non-web software than web software in the world, and non-web software does more important stuff than all the web software combined. The role of security in software testing is vital, and the presence or absence of web technologies does not change that. Despite writing my recent book on Web Security Testing, I know my place in the universe. Quality assurance and software testing are disciplines far older than the web, and their mission is so much bigger than finding vulnerabilities.
Last Updated on Wednesday, 04 February 2009 19:48
Read more...

Build Security In Maturity Model Released

Written by Paco Hope
Thursday, 05 March 2009 14:51
The Wall Street Journal ran a story about the Building Security In Maturity Model (BSIMM) by Gary McGraw, Brian Chess, and Sammy Migues (based on some prior work by Pravir Chandra). This model, which is free to download and use, aims to help organizations put security into all aspects of their software development lifecycle. There are several good security testing aspects to it, including fuzz testing and the kinds of security testing we advocate in the cookbook.
Last Updated on Wednesday, 11 March 2009 14:23

New Software Security Podcast

Written by Paco Hope

Wednesday, 07 January 2009 03:35

Over the last three years, Silver Bullet listeners and sc-l subscribers have occasionally asked Gary McGraw to interview more "practitioners." Instead of changing the mission of Silver Bullet, he decided to create a new podcast and focus it exclusively on practical software security. That means balancing out the hope for a silver bullet with a reality check!

Reality Check will be a monthly podcast just like Silver Bullet. Releases of the two sister ‘casts will alternate and appear every two weeks or so. Reality Check targets experienced leaders working to solve software security problems in large organizations every day. He uses a standard script to guide each conversation with questions about history, methodology, best practice, and measurement. He plans to interview leaders of mature software security programs and leaders of programs just getting started.

The first interview is Steve Lipner (Senior Director of security engineering strategy in Microsoft ’s Trustworthy Computing Group).

Listen at http://www.cigital.com/realitycheck/

Feed Entries

follow pacohope at http://twitter.com/

follow OWASP NoVA at http://twitter.com/