I’ll be speaking at Software Test & Performance in Boston in October 2007.
Wednesday, October 3, 10:15 am — 11:15 am
**103 Web Application Security
By Paco Hope
**
For security efforts to take root and bear fruit, security testing has to become a regular part of testing software. Just as we test its functionality, we must begin testing our Web software for security as a matter of course. Fortunately, Web applications submit readily to automated testing. There are many free tools that let us impersonate a browser, parse the response and report on results.
In this class, we’ll explore two flexible and powerful tools useful in automated Web security tests: cUrl and Perl. CUrl is a free program that helps us automate basic requests. Perl is a well-known programming language ideally suited for writing scripts that test Web applications. We’ll look at the basics of automating tests in both ways, and also explore some of the more complicated concerns that arise during automation: authentication, session state and parsing responses.
The techniques in this class apply regardless of whether your Web platform is Java EE, .NET or something custom. The techniques are also independent of whether your test platform is Windows, Mac OS X, Linux or Unix. You’ll leave with an understanding of the basics and a long list of resources you can turn to for learning more about Web security test automation.