Q

Top software security concerns and vulnerabilities you should know about

New software testers will benefit from this expert's wisdom as he explains the top ten security concerns organizations should be aware of based on OWASP documentation.

I'm new to security testing and don't know where to start. What do you recommend?
. One advantage developers hold over testers is the number of 'design patterns' they enjoy. Many of the common development challenges have been solved for them, and they can apply these patterns knowing they're 'tried and true.' The great news is that testers now have a similar resource available to them for security testing. We no longer need to reinvent the wheel on every project! OWASP (Open Web Application Security Project, http://www.owasp.org) is an online, collaborative project which provides engineers with a vast amount of security related resources. The OWASP Top Ten list is a set of testing 'design patterns' which provides test patterns for the top ten web application exploits. While testing for the top ten won't eliminate every exploit in your software, it will take you a long ways toward that goal.

The top ten exploits are:

  1. Injection
  2. Cross-site Scripting (XSS)
  3. Broken Authentication and Session Management:
  4. Insecure Direct Object References:
  5. Cross-Site Request Forgery
  6. Security Misconfiguration
  7. Insecure Cryptographic Storage
  8. Failure to Restrict
  9. Insufficient Transport Layer Protection
  10. Unvalidated Redirects and Forwards

OWASP hasn't just identified the key exploits – the OWASP organization has invested hundreds of unpaid hours to document each of the top ten exploits, in the form of the OWASP Top 10 guide. This 22-page PDF document outlines each exploit, providing detailed information on how to test for each exploit. While it isn't a long document, this free PDF should become your handbook for security-related testing activities.

The second OWASP document every tester should print and retain is the OWASP Testing Guide. As the OWASP site describes, "this project's goal is to create a "best practices" web application penetration testing framework which users can implement in their own organizations and a "low level" web application penetration testing guide that describes how to find certain issues." The testing guide is 350 pages long and includes detailed analysis and step-by-step instructions for testing for various security-related vulnerabilities. This document is used by many educational institutions as a textbook for security testing.

This was first published in June 2010
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSOA

TheServerSide

SearchCloudApplications

SearchAWS

SearchBusinessAnalytics

SearchFinancialApplications

SearchHealthIT

Close