Testing Web Security: Assessing the Security of Web Sites and...

Features

• Cover Type: Paperback with 352 pages
• Published by: Wiley
• Edition: 1st Edition October 11, 2002
• Written in: English
• ISBN 10 Number: 0471232815
• ISBN 13 Number: 978-0471232810
• Book Dimensions: 9 x 7.5 x 0.9 inches
• Weighs: 1.4 pounds

Product Review
“…a helpful guide…a direct and easy to understand style of writing…” (Software Testing, Verification and Reliability, Dec 2004)

Book Description

• Covers security basics and guides reader through the process of testing a Web site.
• Explains how to analyze results and design specialized follow-up tests that focus on potential security gaps.
• Teaches the process of discovery, scanning, analyzing, verifying results of specialized tests, and fixing vulnerabilities.

Reader Reviews
The author's goal is to make managers responsible for Web site security aware that having a super-duper firewall doesn't excuse the organization from conducting tests or exploring additional avenues to supplement the firewall. The book also supports security testers with flexible descriptions and checklists for creating test cases and conducting tests. Each chapter ends with a checklist covering the various aspects of the test process from planning to intrusion detection. Organizations with a process model in place such as CMM (Capability Maturity Model), RUP (Rational Unified Process), and Six Sigma will find the material supportive of such efforts and maybe even making it easier because of the lists of example tools and software products for managing reporting and schedules. The book isn't a read front-to-back book as each chapter is understandable with or without previous chapters. The first two chapters address vocabulary, test plans and planning, and general project management activities. The meat of the book is in Part 3, Test Design, beginning with chapter 3, which addresses scoping and conducting a network assessment. Chapter 4 focuses on system software and related tools. The next two chapters look at client-side and server-side applications to ensure the system is designed to function correctly for its users while guarding its castle to prevent the evil ones from breaking in. Mother Nature might pay a visit or another big blackout could happen and those guards need to be prepared to react, hence Chapter 7 prepares a team for such events as well as various ways the bad guys might do a sneak attack. Mysterious intruders and audit trails sounds like a case for Sherlock Holmes as Chapter 8 directions on detecting unauthorized intruders, responding to an attack, and assessing the damage. Those who haven't formed a team might want to leap into Chapter 9, which provides staffing options for in-house and outsourcing. It also discusses the process of selecting tools. In the last chapter, get the lowdown on doing a risk analysis to be prepared in for the likelihood of changed plans (which we know happens often). Doing such an analysis is a step toward to having a well-planned test schedule ensure the areas that pose the greatest risks are done early in the process while the lesser important items are done near the end of the test period. The appendices provide an overview of network protocols, addresses, and devices; a list of the most critical Internet security vulnerabilities; and example templates for testing documentation. Those who need more in-depth information can reference the resources for further reading via books and Web sites. If the thought of security is daunting, this book is a good introduction to the topic. It's appropriate for organizations creating a new testing team; teams responsible for conducting testing assessments; and testing managers, project managers, and test teams that are new to testing security. Directors, executives, and other top level managers who are responsible for Web site security will also benefit. Any technical terms that pop up are clearly defined without the dull writing that makes eyes glaze over when reading a technical book. The use of sidebars, checklists, headers, examples, and figures provide a nice balance in presenting the material without losing the reader. The book is practical for anyone who needs a general reference on Web security and wants to know how it works. As for the programming issue another reviewer mention, it's true there isn't reference to programming languages. However, that's not the point of this particular book. Comment | | (Report this)