Customer Reviews

Testing Web Security: Assessing the Security of Web Sites and Applications

5 star:		(6)
4 star:		(2)
3 star:		(0)
2 star:		(0)
1 star:		(1)

 

 

This book proposes to teach us about testing web application security. OK, there *is* one entire sentence devoted to PHP, and somewhere in this mess I think that I remember seeing several lines regarding jsp. On the plus side -- there is an Appendix devoted to a cursory review of the SANS top 20 security vulnerabilities. Thank goodness -- googling for this list or finding it online at the SANS portal must be outside the abilities of the reviewers who gave this book positive reviews.

Testing w/ client-side proxies, as far as I can tell, is not covered; nor is any mention made of SQL insertion techniques, basic authentication mechanism testing, Nikto usage, etc.

I purchased this book based upon the initial reviews on this site. Obviously, the earlier reviewers were not reading the same book as the one I received.

Before I read Steve's book, I thought that testing the security of a Web site required huge amounts of technical knowledge including how certain operating systems, web servers, etc., actually worked. Having read the book, I realise that someone needs to know - but it needn't be me. As a tester, my job is to see if the security measures that have been put into place actually do what they are supposed to and in this context the book exceeds my requirements and expectations.

In addition, one of the problems in testing security is trying to ensure that the site does not open itself up to any unauthorised activity - accidental or not. How do you ensure `complete coverage' of the virtually infinite number of event combinations and therefore test cases? This problem is addressed in the Test Planning and Risk Analysis sections and placed properly and pragmatically into context.

Then we get into the meat of test design. I like the way we start with scoping. What are we trying to secure and from what or whom? To answer the latter part of the question, the book delves into types of attacks - which then helps us to think about what and how to test. I particularly like the checklists (OK, I'm a checklist fan) and the lists of software tools which are available to carry out things like IP address sweeps, port scans, etc.

This part of the book has separate chapters for networks, system software, client and server-side application software. Each chapter is virtually stand-alone which makes it a good reference as well as a good read. I also like the fact that Steve has not left out the social engineering aspect of security. Finally, Test Implementation addresses the usual practical problems associated with test execution but with all the emphasis on security.

Steve Splaine has distilled into one book enough information to give testers and test managers confidence in the planning, design and execution of Web security testing. An excellent read and reference.

The author's goal is to make managers responsible for Web site security aware that having a super-duper firewall doesn't excuse the organization from conducting tests or exploring additional avenues to supplement the firewall.

The book also supports security testers with flexible descriptions and checklists for creating test cases and conducting tests. Each chapter ends with a checklist covering the various aspects of the test process from planning to intrusion detection. Organizations with a process model in place such as CMM (Capability Maturity Model), RUP (Rational Unified Process), and Six Sigma will find the material supportive of such efforts and maybe even making it easier because of the lists of example tools and software products for managing reporting and schedules.

The book isn't a read front-to-back book as each chapter is understandable with or without previous chapters. The first two chapters address vocabulary, test plans and planning, and general project management activities. The meat of the book is in Part 3, Test Design, beginning with chapter 3, which addresses scoping and conducting a network assessment. Chapter 4 focuses on system software and related tools.

The next two chapters look at client-side and server-side applications to ensure the system is designed to function correctly for its users while guarding its castle to prevent the evil ones from breaking in. Mother Nature might pay a visit or another big blackout could happen and those guards need to be prepared to react, hence Chapter 7 prepares a team for such events as well as various ways the bad guys might do a sneak attack.

Mysterious intruders and audit trails sounds like a case for Sherlock Holmes as Chapter 8 directions on detecting unauthorized intruders, responding to an attack, and assessing the damage.

Those who haven't formed a team might want to leap into Chapter 9, which provides staffing options for in-house and outsourcing. It also discusses the process of selecting tools. In the last chapter, get the lowdown on doing a risk analysis to be prepared in for the likelihood of changed plans (which we know happens often). Doing such an analysis is a step toward to having a well-planned test schedule ensure the areas that pose the greatest risks are done early in the process while the lesser important items are done near the end of the test period.

The appendices provide an overview of network protocols, addresses, and devices; a list of the most critical Internet security vulnerabilities; and example templates for testing documentation. Those who need more in-depth information can reference the resources for further reading via books and Web sites.

If the thought of security is daunting, this book is a good introduction to the topic. It's appropriate for organizations creating a new testing team; teams responsible for conducting testing assessments; and testing managers, project managers, and test teams that are new to testing security. Directors, executives, and other top level managers who are responsible for Web site security will also benefit.

Any technical terms that pop up are clearly defined without the dull writing that makes eyes glaze over when reading a technical book. The use of sidebars, checklists, headers, examples, and figures provide a nice balance in presenting the material without losing the reader. The book is practical for anyone who needs a general reference on Web security and wants to know how it works.

As for the programming issue another reviewer mention, it's true there isn't reference to programming languages. However, that's not the point of this particular book.

This book is unique in that it focuses more on auditing than on actual web testing techniques, which is an area that is too often overlooked by QA. Because of this niche area, this book can be used in conjunction with any of the more testing-centric books, giving QA a solid security-in-depth approach. This approach also makes this book a solid reference for complying with parts of the Sarbanes-Oxley Act.

Splaine thoroughly covers the test/audit process by addressing all layers and threat vectors. He takes a systematic vulnerability assessment and risk management approach, and extensively uses checklists throughout this book to help you to develop a security auditing process that will close most of the vulnerability gaps, as well as to augment other testing approaches.

I particularly like the completeness of topic coverage - he goes into network, protocol, client- and server-side application, and attack modes in great detail. For each area he provides advice, checklists and a strategy for dealing with the risks and vulnerabilities represented. I also like the way he addresses configuration management, quality and test case design. These reflect best practices and can be quickly integrated into a web security QA function.

Splaine's earlier book, "The Web Testing Handbook" (ISBN 0970436300) nicely augments this one, as does Nguyen's highly regarded "Testing Applications on the Web: Test Planning for Internet-Based Systems" (ISBN 047139470X), both of which are more focused on web testing.

If you work in QA or web security this book will be an invaluable resource, and is one that I highly recommend because it spans both disciplines.

Web Security Testing Review

I first picked this book up because the subject matter had a "new twist." After almost 30 years in Information Security the concept of actually testing the security systems we are paid to maintain interested me. I thought, O.K... get ready, in a few minutes I'll be knee deep in testing jargon and theory. Not so!! To my surprise this book is incredibly readable, partially because the author sprinkles great examples throughout the book and partially because his writing style is NOT "from on high to us mortals on earth." I was very pleasantly surprised. Besides readability I think Mr. Splain has covered the issue of content very well. In the section on test plans he includes the idea that system documentation is an integral part of test plan documentation. Not that this is a new concept; it should be second nature to us in the IT field. The point is, he has taken care with the details and it shows in the content of the book. Another key concept in the book is "defining the scope of the network testing by identifying an appropriate set of network segments." You can define the scope to anything, servers, buildings, color of the chassis. It's nice to see him make a statement like this, provide the technobabble to human speak definitions in the appendix (for those that need them) and then go forward and treat the components (all of them) as a system, not leaving bits lying around for someone else to deal with. Again, it's not that this is a new concept; it just shows how thorough he is with the subject. Looking at the chapter on Network Security "testing", the thought occurred to me that this chapter is a great basis for designing a stand alone network security review. It's outside the scope of the book, but all the components are there in one chapter.

The organization of the book is also nice. You don't have to read the book through to use the content. Each section (or chapter for that matter) can, if needed, stand on its own. The book is broken up into 5 sections; An Introduction, Planning the Testing Effort, Test Design, Test Implementation, and Appendixes. Each chapter is filled with check lists, concepts, web sites and software recommendations that can be woven into any testing effort. In the appendix you'll find a chapter on Additional Resources. This chapter brings into one place a myriad of books and web sites that would be invaluable to anyone from the seasoned professional to someone just entering the field.

I've performed a number of security reviews and the like over the years, but after reading this book I'm thinking of revising my methods. Even though Mr. Splain may not have meant his book to be used this way, I see it as a basis for setting up any security review for any network based system (not just for testing new systems). This may come as a shock to Mr. Splain (although I doubt it), but I think he's laid out the basis for carrying out a security consulting practice (not setting the practice up, but certainly proposing great methods for doing the security reviews).

Lastly, I have always been irritated by the popular concept that we "test" and go on. For my part, in security reviews, this is a blatant misconception that leads to more open systems than secure ones. Mr. Splain has endeared himself to me by proposing the idea throughout the book, that security testing is an ongoing process. I'm pleased to see this expressed in such a practical "how to" book. Well done.

I found this book very useful for myself as a dictionary of sorts! Our QA department is buried in client/server testing and basic web page testing, and I don't think we'll ever have enough staff that we'll get to do this much security testing. (others do it, but not us) However, I still hear a lot of these terms bandied about, and now I actually know what they mean and have a better idea of how things work.

The book is a unique one. True there are many books on security written, but never before has anybody approached it from the testing point-of-view. This book analyzes the different security holes in many web applications, and lists many different hacking tools and methods, then discusses what a tester is to do in order to test securing their web application or site. Written for the testing professional by a testing professional!

Steve has done it again... Another great book for the software testing & quality assurance professional.

A Steven Splaine book is a well-constructed and complete presentation of testing web sites. The book goals are to raise manager awareness and to present the problems to newcomers in web site security testing. I think that this goal is achieved. The book is well balanced between topic presentation, checklists, examples and references. Acknowledging the complexity of Web site security, the book managed to keep a good level of global overview of the topics and to present the concepts with a clear vocabulary. I like the attitude of the author to build on existing knowledge and to refer to more specific books or articles for those who would like to dig deeper in a particular area. In conclusion, I find that this book is an excellent introduction to this complex topic.

Interestingly, this is one of the very few commercial guides on testing anything out there that actually provides a test plan and specific tests to perform. It smartly provides straight facts on web security without trying to oversell anything which is why I particularly recommend it.

Another point of the book I found helpful and intelligent is the layout which did more than just take one through a step-by-step assessment.

Although not overly technical, for instance you won't find specific programming tips on PHP or JSP, its broad coverage of the web presence from physical to Internet is more than enough to provide any organization with a proper risk assessment.

I have written the author about a few improvements I would like to see but there is nothing that would detract from the knowledge transfer this book currently offers. It is an excellent complement to the OSSTMM (Open Source Security Testing Methodology Manual) at [email address]and will assist you in making an OSSTMM certified test as well meeting BS7799 best practice requirements. If you worry about privacy legislation in your region then this may just be the help you are looking for in your web presence.