Recommendations for security-related QA?

Jul. 14th, 2008 09:25 am
annathepiper: (Little Help?)
[personal profile] annathepiper
Hey all,

I've been asked to look into how to effectively test our site pages for problems such as SQL injection attacks, cross-site scripting, XSS, etc. So I wanted to put out a call to the LJ knowledge base: who all out there has experience defending against this kind of thing?

Things I want to know:

What tools, open source or otherwise, are good for this kind of testing?

What sources of information can you recommend for learning about how to defend against these attacks?

I know a big part of this will lie with our engineers coding their stuff correctly to begin with, but I want to think of this from the QA standpoint as well--what tests we can run to doublecheck. So if you had to test someone else's code to look for these things, how would you go about it?

Thanks in advance for any enlightenment, folks.
Tags:
Flat | Top-Level Comments Only

Date: 2008-07-14 06:06 pm (UTC)
From: [identity profile] waysofseeing.livejournal.com
That's not a trivial question -- there are, literally, books written on the subject.

I haven't played with it but there's a set of lightweight Firefox testing tools (http://www.securitycompass.com/exploitme.shtml) with documentation that may help. A more heavyweight set of tools can be found through OWASP (http://www.owasp.org/index.php/Category:OWASP_Project).

If you've got a little time to dive into this, the guys who taught me most of what I know about security testing wrote a book (http://www.amazon.com/Hunting-Security-Bugs-Tom-Gallagher/dp/073562187X) awhile back, which I recommend without hesitation.

Date: 2008-07-14 06:08 pm (UTC)
annathepiper: (Default)
From: [personal profile] annathepiper
Oh, I'm very well aware of the scope of what I'm asking for--so pointers to places where I can start are very helpful! Thanks for the links and the book tip, I'll check 'em out.

Date: 2008-07-15 01:38 am (UTC)
From: [identity profile] sksouth.livejournal.com
Oh dang, I know that the Sans Internet Storm Center (http://isc.sans.org/) has covered testing for SQL injection vulnerability but a quick search isn't turning it up and I'm on my way out the door. Um, maybe 3 weeks or a month ago?

Date: 2008-07-16 03:21 am (UTC)
annathepiper: (Default)
From: [personal profile] annathepiper
Cool, thanks for the link. I'll see what I can find--though I also have now checked out the Testing Guide up on the wiki page for OWASP, and they cover the topic pretty well too.

Date: 2008-07-15 02:45 am (UTC)
From: [identity profile] xpioti.livejournal.com
I'll ping my hubby and see if he can contact you, he's a security guru. What email address should I ask him to write to? (No guarantee that he'll be able to, his work schedule is stupidly insane.)

Date: 2008-07-15 02:53 am (UTC)
annathepiper: (Default)
From: [personal profile] annathepiper
The address on my LJ profile will be fine. And thanks! :)
Flat | Top-Level Comments Only

Profile

annathepiper: (Default)
Anna the Piper
angelakorrati.com

November 2025

S M T W T F S
      1
2345678
9101112131415
16171819202122
23242526272829
30      

Most Popular Tags

Page Summary

Active Entries

Style Credit

Expand Cut Tags

No cut tags
Page generated Feb. 24th, 2026 10:46 pm
Powered by Dreamwidth Studios