Improving the Value of Testing – Security!

Do what you say and say what you do.

I think I got that from an ISO 2001 audit preparation meeting in the mid-90’s during an effort to sell fax machines that we were manufacturing at HP to the EU. I like that so I try to use it.

Do What You Say

I said that I was going to try Improving the Value of Testing. What would be better than security testing? A bunch of things, you might say. But the reality is that security is the highest risk you are facing in your products. The bad guys understand more than you do, and probably more than the people who make the security tools you use already. For me, I do not even understand much about what the tools do, or know the difference between sql injection and cross-site scripting. 

Say What You Do

So I am going to venture into this a little by trying to do some security testing with tools that I get from where ever. I will even make some home-grown tools if possible because I like to build and I like control. That would help amp my understanding to a higher level, in my opinion.

My first attempt was to crack open an old book How to Break Web Software by Mike Andrews and James A. Whittaker. Things change a lot in 6 computer years. All the web services are in SOAP – yuck. That’s like getting your mouth washed out. And almost all the tools are for Windows, but I primarily use a Mac. Still, I think I can get some concepts out of this. I try the paso proxy, but it’s not working for me yet.

So I move on to SoapUI. That’s an old friend, but I have never used it for security nor Rest. I spent some time on trying to simply send a request (POST) to my system under test but the SoapUI crashed. And crashed. And crashed. I tried five times before I went to their forum and found an recent unanswered post called Clean Install: Mac OSX beach ball of death. Oh dear. 

I spent a lot of time on those without getting anywhere. Edison would have said that I learned some ways that it doesn’t work. I will add more as I have time and additional information!

Advertisements

2 thoughts on “Improving the Value of Testing – Security!

  1. chuckvdl

    I’d recommend my wife’s book as a great way to understand most of this stuff. It’s a couple years old now, but the basics of the vulnerabilites have not really changed. And the focus is on helping you understand how the vulnerabilities work and how to test them (with little emphasis on using tools to do so)

    Be warned however that it’s from a maker of text-books and is priced accordinly (as in, “we know you are a captive audience because the course you are taking requires you to buy THIS book, and we never showed the price to the professor who selected it”) a factor over which she has no control. (so get your employer to buy it for you!)

    http://www.amazon.com/Testing-Code-Security-Maura-Linden/dp/0849392519

  2. dmcnulla Post author

    Thanks Chuck. I will check it out now.

    Yes, I will try to get my boss to buy it for the team. I think I have to make a pitch for it… errr, my next Lunch-N-Learn topic.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s