Friday, February 23, 2007

OWASP Testing Guide v2 Released

OWASP has recently released the latest version of its Web Application Testing guide. The guide provides a framework for testing throughout the software development life cycle, as well as walk through guide for testing web applications for known vulnerabilities using popular attacks.

If you are charged with testing for security issues with a web application, are interested in learning techniques for becoming a web application pen tester, or are even a programmer this guide should be a great source of information for you.

"But Matt, we've got a $2,000 license for PicoDyne's 'Super-Karate-Monkey-Web Application Assessment' tool. Why on earth would I spend my time going through this guide?".

Well, I'm glad you ask. Nearly all automated webappec testing tools are stupid, literally. They plow through a web application throwing pre-defined and generated test cases, but they have little useful intelligence behind them. They find all of the stuff that anyone can find. Don't worry, though, these tools are fabulous as LHF (Low Hanging Fruit) detectors. They can get all of the obvious stuff out of the way and let you, the tester, spend more time focusing on the difficult things like blind SQL injection attacks.

No comments: