Automating Security Testing with cUrl and Perl (Better Software Conference & EXPO 2008)
Although all teams want to test their applications for security, our plates are already full with functional tests. What if we could automate those security tests? Fortunately, most Web-based and desktop applications submit readily to automated testing. Paco Hope explores two flexible, powerful, and totally free tools that can help to automate security tests. cUrl is a free program that issues automatic basic Web requests; Perl is a well-known programming language ideally suited for writing test scripts. Paco demonstrates the basics of automating tests using both tools and then explores some of the more complicated concerns that arise during automation-authentication, session state, and parsing responses. He then illustrates simulated malicious inputs and the resulting outputs that show whether the software has embedded security problems. The techniques demonstrated in this session apply equally well to all Web platforms and all desktop operating systems. You'll leave with an understanding of the basics and a long list of resources you can reference to learn more about Web security test automation.