Testing Web Security: Assessing the Security of Web Sites and Applications [Paperback]

Steven Splaine (Author)

Book Description

ISBN-10: 0471232815 | ISBN-13: 978-0471232810 | Publication Date: October 25, 2002 | Edition: 1

• Covers security basics and guides reader through the process of testing a Web site.
• Explains how to analyze results and design specialized follow-up tests that focus on potential security gaps.
• Teaches the process of discovery, scanning, analyzing, verifying results of specialized tests, and fixing vulnerabilities.

Editorial Reviews

Review

“…a helpful guide…a direct and easy to understand style of writing…” (Software Testing, Verification and Reliability, Dec 2004)

From the Back Cover

Protect your company's Web site from hack attacks with this guide to proven security-testing techniques

It's only a matter of time before an unscrupulous would-be intruder decides to attack your organization's Web site. If they're successful, you could lose confidential customer information, intellectual property, or e-commerce revenue. Fortunately, this unique book describes a set of security tests that you can perform to ensure your Web site is hack-resistant. Web testing expert Steven Splaine offers a straightforward, easy-to-follow approach to security testing that can be used to check your Web site's vulnerabilities. Through examples and dozens of testing checklists, you'll learn how to develop and document a test plan to test the security of a Web site and conduct a risk analysis to help determine which tests should be given the highest priority.

Following a straightforward, accessible approach, this book will take you step-by-step through the process of testing the security of your Web sites and applications. Whether you're a software tester, system administrator, developer, manager, Web master, or security engineer, you'll find valuable information on how to use testing as a security measure. In this informative book, Steven Splaine covers:
* Planning the security testing effort: strategies, teams, and tools
* How to define the scope of the project
* Testing network security and system software configurations
* Checking for security vulnerabilities in Web applications
* Evaluating how well-prepared an organization is against assailants who use social engineering, dumpster diving, inside accomplices, or physical methods of attack
* The unique challenges of testing defenses designed to confuse an intruder
* Using a risk analysis to focus the testing effort on the areas that present the greatest threats to the organization

See all Editorial Reviews

Product Details

• Paperback: 368 pages
• Publisher: Wiley; 1 edition (October 25, 2002)
• Language: English
• ISBN-10: 0471232815
• ISBN-13: 978-0471232810
• Product Dimensions: 9.2 x 7.5 x 0.8 inches
• Shipping Weight: 1.4 pounds (View shipping rates and policies)
• Average Customer Review: 4.3 out of 5 stars  See all reviews (9 customer reviews)
• Amazon Best Sellers Rank: #1,892,687 in Books (See Top 100 in Books)

More About the Author

Discover books, learn about writers, read author blogs, and more.

Customer Reviews

Most Helpful Customer Reviews

21 of 26 people found the following review helpful:

1.0 out of 5 stars Simply the worst security book I have ever read, September 4, 2003

By 

Thomas Porter "tporter_phd_56" (Chapel Hill, NC United States) - See all my reviews
(REAL NAME)   

This review is from: Testing Web Security: Assessing the Security of Web Sites and Applications (Paperback)

This book proposes to teach us about testing web application security. OK, there *is* one entire sentence devoted to PHP, and somewhere in this mess I think that I remember seeing several lines regarding jsp. On the plus side -- there is an Appendix devoted to a cursory review of the SANS top 20 security vulnerabilities. Thank goodness -- googling for this list or finding it online at the SANS portal must be outside the abilities of the reviewers who gave this book positive reviews.

Testing w/ client-side proxies, as far as I can tell, is not covered; nor is any mention made of SQL insertion techniques, basic authentication mechanism testing, Nikto usage, etc.

I purchased this book based upon the initial reviews on this site. Obviously, the earlier reviewers were not reading the same book as the one I received.

5 of 6 people found the following review helpful:

5.0 out of 5 stars An Excellent Read & Reference for Testers and Test Managers, February 25, 2004

By 

"itjeff" - See all my reviews

This review is from: Testing Web Security: Assessing the Security of Web Sites and Applications (Paperback)

Before I read Steve's book, I thought that testing the security of a Web site required huge amounts of technical knowledge including how certain operating systems, web servers, etc., actually worked. Having read the book, I realise that someone needs to know - but it needn't be me. As a tester, my job is to see if the security measures that have been put into place actually do what they are supposed to and in this context the book exceeds my requirements and expectations.

In addition, one of the problems in testing security is trying to ensure that the site does not open itself up to any unauthorised activity - accidental or not. How do you ensure `complete coverage' of the virtually infinite number of event combinations and therefore test cases? This problem is addressed in the Test Planning and Risk Analysis sections and placed properly and pragmatically into context.

Then we get into the meat of test design. I like the way we start with scoping. What are we trying to secure and from what or whom? To answer the latter part of the question, the book delves into types of attacks - which then helps us to think about what and how to test. I particularly like the checklists (OK, I'm a checklist fan) and the lists of software tools which are available to carry out things like IP address sweeps, port scans, etc.

This part of the book has separate chapters for networks, system software, client and server-side application software. Each chapter is virtually stand-alone which makes it a good reference as well as a good read. I also like the fact that Steve has not left out the social engineering aspect of security. Finally, Test Implementation addresses the usual practical problems associated with test execution but with all the emphasis on security.

Steve Splaine has distilled into one book enough information to give testers and test managers confidence in the planning, design and execution of Web security testing. An excellent read and reference.

7 of 9 people found the following review helpful:

4.0 out of 5 stars A Great General Overview of Testing Web Security, September 25, 2003

By 

Meryl K. Evans "Content Maven behind meryl.net" (Plano, TX) - See all my reviews
(REAL NAME)   

This review is from: Testing Web Security: Assessing the Security of Web Sites and Applications (Paperback)

The author's goal is to make managers responsible for Web site security aware that having a super-duper firewall doesn't excuse the organization from conducting tests or exploring additional avenues to supplement the firewall.

The book also supports security testers with flexible descriptions and checklists for creating test cases and conducting tests. Each chapter ends with a checklist covering the various aspects of the test process from planning to intrusion detection. Organizations with a process model in place such as CMM (Capability Maturity Model), RUP (Rational Unified Process), and Six Sigma will find the material supportive of such efforts and maybe even making it easier because of the lists of example tools and software products for managing reporting and schedules.

The book isn't a read front-to-back book as each chapter is understandable with or without previous chapters. The first two chapters address vocabulary, test plans and planning, and general project management activities. The meat of the book is in Part 3, Test Design, beginning with chapter 3, which addresses scoping and conducting a network assessment. Chapter 4 focuses on system software and related tools.

The next two chapters look at client-side and server-side applications to ensure the system is designed to function correctly for its users while guarding its castle to prevent the evil ones from breaking in. Mother Nature might pay a visit or another big blackout could happen and those guards need to be prepared to react, hence Chapter 7 prepares a team for such events as well as various ways the bad guys might do a sneak attack.

Mysterious intruders and audit trails sounds like a case for Sherlock Holmes as Chapter 8 directions on detecting unauthorized intruders, responding to an attack, and assessing the damage.

Those who haven't formed a team might want to leap into Chapter 9, which provides staffing options for in-house and outsourcing. It also discusses the process of selecting tools. In the last chapter, get the lowdown on doing a risk analysis to be prepared in for the likelihood of changed plans (which we know happens often). Doing such an analysis is a step toward to having a well-planned test schedule ensure the areas that pose the greatest risks are done early in the process while the lesser important items are done near the end of the test period.

The appendices provide an overview of network protocols, addresses, and devices; a list of the most critical Internet security vulnerabilities; and example templates for testing documentation. Those who need more in-depth information can reference the resources for further reading via books and Web sites.

If the thought of security is daunting, this book is a good introduction to the topic. It's appropriate for organizations creating a new testing team; teams responsible for conducting testing assessments; and testing managers, project managers, and test teams that are new to testing security. Directors, executives, and other top level managers who are responsible for Web site security will also benefit.

Any technical terms that pop up are clearly defined without the dull writing that makes eyes glaze over when reading a technical book. The use of sidebars, checklists, headers, examples, and figures provide a nice balance in presenting the material without losing the reader. The book is practical for anyone who needs a general reference on Web security and wants to know how it works.

As for the programming issue another reviewer mention, it's true there isn't reference to programming languages. However, that's not the point of this particular book.