Recommendations for security-related QA?
Jul. 14th, 2008 09:25 amHey all,
I've been asked to look into how to effectively test our site pages for problems such as SQL injection attacks, cross-site scripting, XSS, etc. So I wanted to put out a call to the LJ knowledge base: who all out there has experience defending against this kind of thing?
Things I want to know:
What tools, open source or otherwise, are good for this kind of testing?
What sources of information can you recommend for learning about how to defend against these attacks?
I know a big part of this will lie with our engineers coding their stuff correctly to begin with, but I want to think of this from the QA standpoint as well--what tests we can run to doublecheck. So if you had to test someone else's code to look for these things, how would you go about it?
Thanks in advance for any enlightenment, folks.
I've been asked to look into how to effectively test our site pages for problems such as SQL injection attacks, cross-site scripting, XSS, etc. So I wanted to put out a call to the LJ knowledge base: who all out there has experience defending against this kind of thing?
Things I want to know:
What tools, open source or otherwise, are good for this kind of testing?
What sources of information can you recommend for learning about how to defend against these attacks?
I know a big part of this will lie with our engineers coding their stuff correctly to begin with, but I want to think of this from the QA standpoint as well--what tests we can run to doublecheck. So if you had to test someone else's code to look for these things, how would you go about it?
Thanks in advance for any enlightenment, folks.
no subject
Date: 2008-07-14 06:06 pm (UTC)I haven't played with it but there's a set of lightweight Firefox testing tools (http://www.securitycompass.com/exploitme.shtml) with documentation that may help. A more heavyweight set of tools can be found through OWASP (http://www.owasp.org/index.php/Category:OWASP_Project).
If you've got a little time to dive into this, the guys who taught me most of what I know about security testing wrote a book (http://www.amazon.com/Hunting-Security-Bugs-Tom-Gallagher/dp/073562187X) awhile back, which I recommend without hesitation.
no subject
Date: 2008-07-14 06:08 pm (UTC)no subject
Date: 2008-07-15 01:38 am (UTC)no subject
Date: 2008-07-16 03:21 am (UTC)no subject
Date: 2008-07-15 02:45 am (UTC)no subject
Date: 2008-07-15 02:53 am (UTC)