[...]... ws-* security API will automagically solve the security problem In fact, security has more to do with testing and assurance than anything else Enter this book Boy, do we need a good measure of web application security testing! You see, many “tests” devised by security experts for web app testing are not carried out with any testing rigor It turns out that testing is its own discipline, with an entire... not only by security types but also by testing people working on web applications In fact, Quality Assurance (QA) people will enjoy the fact that this book is aimed squarely at testers, with the notions of regression testing, coverage, and unit testing built right in In my experience, testing people are much better at testing than security people are Used properly, this book can transform security people... that web applications make up only a small percentage of all things software So when all of the software security attention of the world is focused solely on web applications, I get worried There are plenty of other kinds of critical applications out there that don’t live on the Web That’s why I think of myself as a software security person and not a Web application security person In any case, Web. .. for you to use Before we talk about testing web applications for security, we want to define a few terms What applications are we talking about when we say web applications”? What do they have in common and why can we write a book like this? What do we mean when we say security ? How different are security tests from our regular tests, anyway? 1.1 What Is Security Testing? It’s often straightforward... in their tests in the form of expected results Security testing is like functional testing because it is just as dependent on that understanding of “what behavior do we want?” It is arguable that security testing is more dependent on requirements than functional testing simply because there is more to sift through in terms of potential inputs and outputs Security behavior tends to be less well defined... to the Web and build new ones on the Web, we must be able to test those applications effectively Gone are the days when functional testing was sufficient, however Today, web applications face an omnipresent and ever-growing security threat from hackers, insiders, criminals, and others This book is about how we test web applications, especially with an eye toward security We are developers, testers,... quality managers, and consultants who need to test web software Regardless of what quality or development methodology we follow, the addition of security to our test agenda requires a new way of approaching testing We also need specialized tools that facilitate security testing Throughout the recipes in this book, we’ll be leveraging the homogenous nature of web applications Wherever we can we will take... web applications on either a daily or regular basis We may be following a script of interactions (“click here, type XYZ, click Submit, check for OK message…”) or we might be writing frameworks that invoke batteries of automated tests against our web applications Most of us are somewhere in between Regardless of how we test, we need to get security testing into what we’re doing These days, testing web. .. pundits currently have us entering the era of Web 3.0 (see http: //www.informit.com/articles/article.aspx?p=1217101) The problem is that security has frankly not kept pace At the moment we have enough problems securing Web 1.0 apps that we haven’t even started on Web 2.0, not to mention Web 3.0 Before I go on, there’s something I need to get off my chest Web applications are an important and growing... application security and software security do share many common problems and pitfalls (not surprising since one is a subset of the other) One common problem is treating security as a feature, or as “stuff.” Security is not “stuff.” Security is a property of a system That means that no amount of authentication technology, magic crypto fairy dust, or service-oriented architecture (SOA) ws-* security API . . . . . 1 1.1 What Is Security Testing? 1 1.2 What Are Web Applications? 5 1.3 Web Application Fundamentals 9 1.4 Web App Security Testing 14 1.5 It’s About. measure of web application security testing! You see, many “tests” devised by security experts for web app testing are not carried out with any testing rigor.