Web Software and Security Testing
Duration: 3 Days
Security, or lack of it, is now perceived as a major problem for any form of on-line transaction. Whereas no system will ever be 100% secure, there are a number of security measures that can, and should, be implemented to ensure that the users of a Web site can be confident their data is reasonably protected.
This course introduces attendees to the security problems associated with Web sites and how to test the security measures which have been put into place.
Topics Covered In This Course
- How big is the problem, where is the problem
- Common attack methods
- Security policies, building a policy
- Hackers and crackers
- Security testing techniques
- Manual inspections and reviews - gap analysis
- Threat modeling - attack trees and use/misuse cases
- A framework for testing
- Basic Internet architecture
- Communication protocol models, the four-layer model
- Packets, IP addresses, IP v4 and v6
- Transmission Control Protocol (TCP), three-way handshake
- HyperText Transfer Protocol (HTTP)
- Universal Resource Locators (URL), Domain Name System (DNS)
- Intranets and extranets
- Virtual Private Networks
Wired and Wireless Networks
- Wired networks, wireless networks, IP spoofing
- Secure Sockets Layer (SSL) and Transport Layer Security (TLS)
- Encryption, Public Key Infrastructure (PKI)
- SSL and TLS Sessions
- Wireless encryption
Code Quality Assurance
- Quality control and quality assurance
- Unit testing
- Hypertext Markup Language (HTML)
- HTML validation
- Cascading Style Sheets (CSS)
- Client-side scripting
- Extensible Markup Language (XML)
Browsers and Web Servers
- Client hardware and software
- Different browsers (Internet Explorer, Firefox, Chrome, Opera, Safari, etc.)
- Browser modes
- Server software
- Choosing the test environment
- Static and dynamic links
- Inline frames
- Internal search engines
- Site maps
- Site navigation tools
- Client-side and server-side validation
- Client-side pop-ups
- Client-side objects
- Code signing
- Java and the Java Virtual Machine
- Server-side includes
- Dynamic page generation (ASP, PHP, Python, Ruby, etc.)
- Common Gateway Interface (CGI)
- Database interaction
- Database middleware
- What firewalls can and can?t do
- Packet filtering, screening routers
- Proxy servers
- Network address translation
- Types of firewall configuration
- Dual-homed host, screened host firewall system, screened subnet firewall system
- Mapping out the network topology, scoping the testing effort
- IP address inventory, ping sweeps
- Service/socket inventory, port scanning
- Hardening the system software
- Spiders, robots and crawlers
- Web application fingerprinting
- Using site maps
- Testing source code
- Testing for error code
- Testing for weak cipher levels
- Testing SSL certificate validity
- Testing for file extension handling
- Old, backup and unreferenced files, server logs
- Evaluating intruder detection, intruder detection systems
- Credentials transport testing
- Testing for user enumeration
- Default or guessable user accounts, brute force
- Direct page requests, parameter modification, session ID prediction
- File and directory privileges
- Password remember and reset
- Social engineering and insiders
- Logout testing, cached pages
- Maintaining a session
- Private browsing
- Analysis of session management
- Cookie reverse engineering
- Cookie manipulation by guessing
- Cookie manipulation using brute force
- Exposed session tokens
Data Validation Testing
- Cross site scripting
- HTTP methods and cross site tracing
- SQL injection
- Testing for authorization bypass attacks
- Testing for Select statement attacks
- Testing for Insert statement attacks
- Buffer overflows
What You Can Expect
In this course, you will learn how to:
- Examine a security policy and specify the types of tests necessary to ensure that the requirements contained in the policy are being met.
- Scope security testing and create tests, test cases and test scripts.
- Communicate adequately with appropriate technical personnel to ensure that the correct test or production environments are available.
- Understand the capabilities of simple security testing tools and make a significant contribution to tool selection.
- Execute basic security tests and understand the results.
- Communicate with security professionals and external agencies where there is a requirement for detailed, focused security testing.
Who Should Take This Course
Software testers, auditors, members of QA teams and test managers who will be involved in security testing and auditing of Web sites and applications.
A basic knowledge of the Internet and software testing.
Instructor led with 60% lecture and 40% lab.
Software Testing Considerations for Developers
Software Testing/User Acceptance Testing Fundamentals
Software Testing and Quality Assurance Techniques
Web Software and Performance Testing
Java Web Security
Every student attending a Verhoef Training class will receive
a certificate good for $100 toward their next public class taken
within a year.
You can also buy "Verhoef Vouchers" to get a discounted rate for a
single student in any of our public or web-based classes.
Contact your account manager or our sales office for details.
Notify me the next time this course is confirmed!