Protect your company’s Web site from hack attacks with this guide to proven security-testing techniques
It’s only a matter of time before an unscrupulous would-be intruder decides to attack your organization’s Web site. If they’re successful, you could lose confidential customer information, intellectual property, or e-commerce revenue. Fortunately, this unique book describes a set of security tests that you can perform to ensure your Web site is hack-resistant. Web testing expert Steven Splaine offers a straightforward, easy-to-follow approach to security testing that can be used to check your Web site’s vulnerabilities. Through examples and dozens of testing checklists, you’ll learn how to develop and document a test plan to test the security of a Web site and conduct a risk analysis to help determine which tests should be given the highest priority.
Following a straightforward, accessible approach, this book will take you step-by-step through the process of testing the security of your Web sites and applications. Whether you’re a software tester, system administrator, developer, manager, Web master, or security engineer, you’ll find valuable information on how to use testing as a security measure. In this informative book, Steven Splaine covers:
Planning the security testing effort: strategies, teams, and tools
How to define the scope of the project
Testing network security and system software configurations
Checking for security vulnerabilities in Web applications
Evaluating how well-prepared an organization is against assailants who use social engineering, dumpster diving, inside accomplices, or physical methods of attack
The unique challenges of testing defenses designed to confuse an intruder
Using a risk analysis to focus the testing effort on the areas that present the greatest threats to the organization
Review By: Marsha L. Robertson 07/08/2010This book is based on and is an extension of Software Quality Engineering’s Web Security Testing course. It uses copious examples and checklists to teach this subject. The chapters stand well independently, so that they need not be read in a particular order to be understood or to be useful.
Chapters 1 and 2 are an introduction to the book and to test planning in general. Testing vocabulary and various testing approaches are also discussed. These chapters are a good beginning for testing novices and a good reference for others. Chapter 3 describes physical networks and gives options for testing possible configurations of a network, including determining the appropriate scope of tests. Chapter 4 does the same for system software, such as operating systems and communication tools.
Chapters 5 and 6 discuss testing options for client/server applications. These include making sure that good data is accepted and bad data is not, and that authorized users are allowed and unauthorized users are denied. Chapter 7 relates many sneaky ways (hence the title “Sneak Attacks”) that a Web system can be infiltrated, and how to test for these often overlooked areas of risk.
Chapter 8 is an explanation of some direct security methods and how to test them. General areas of discussion are detecting attempts at unauthorized access, confusing or distracting an intruder, and responses to an attack. Chapter 9 gives test implementation options, including how to choose who should test, what tools are used, and where testing should start and end. Chapter 10 discusses performing risk analysis and determining testing priorities.
The appendices are useful references on their own. Appendix A is a dictionary and overview of networking terms. Appendix B is a list of the twenty most critical Internet security vulnerabilities. Appendix C gives example templates for various test deliverables, such as status reports and testing logs. There is also an Additional Resources section that contains, among other things, a long list of other books related to Web security testing.
In his preface, the author states “Testing Web Security is an attempt to fill the need for a straightforward, easy-to-follow book that can be used by anyone who is new to the security-testing field.” I believe that he has done an admirable job of meeting his goal.
The chapters are well organized and provide plenty of examples. Terms are either defined as they are used, or they are defined in Appendix A. The checklists provided are a great starting point for test development.
This book will be useful for either brand-new testing organizations or for established test organizations where Web security testing is a new task. It should be on the reference shelf for anyone who has an interest in testing Web security.