Published by Rob Lambert,
Security on the web is a hot topic. It’s essential that security is taken seriously and that users data and activities are secure whilst they interact with your site.
I think it’s important that all website owners, builders and testers get familiar with some of the basic concepts of security testing. As a minimum I would suggest understanding the OWASP Top Ten security vulnerabilities.
There are a number of tools and techniques for spotting some of the more obvious security flaws. For compliance and critical systems I would always advocate the use of an external “Penetration Test" by a trusted company.
How to test for security bugs
One of the easiest ways to perform security testing against your application is to use a scanning tool like Burpsuite or Zed Attack Proxy.
Using the scanner option (paid for option with Burpsuite) allows you to scan the application under test. You can usually do a passive scan (it will not exploit any vulnerabilities it discovers) or you can do an active scan (it will attempt to exploit and deliver pay loads).
The scanners usually scan as you work through the application, which makes hunting for vulnerabilities somewhat easier. The real skill comes in knowing where to look, what data to pass in and what to do with gaps and vulnerabilities when you find them.
Caution: Ensure you use the right scan setting (active or passive) and the right scope (only the domains you want to scan). It's very easy to accidentally "security test" a public facing website. And that's illegal in most countries. Be careful.
Security testing is far too big to cover in this guide, so it’s worth getting a book and reading more about building threat profiles, using the tools of the trade and how to sniff out vulnerabilities for deeper attacks. It’s a really fascinating topic and there are loads of resources on it.
At the time of writing this guide, if your product is on the Salesforce App exchange you get a free license for Burpsuite.
Zed Attack Proxy - https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Web Hackers book - http://www.amazon.co.uk/gp/product/1118026470/ref=as_li_tl?ie=UTF8&camp=1634&creative=19450&creativeASIN=1118026470&linkCode=as2&tag=thesoctes-21&linkId=O5MXEHIOOFFJL6O6
OWASP Top Ten - https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Plynt Security Testing Experts - http://www.plynt.com/
Start with the treat profile - http://securityalliance.co.uk/blog/web-application-security-testing-threat-profile/
If you’re interested in a career in Software Testing then check out my book Remaining Relevant And Employable (Tester’s Edition) - it’s packed full of ideas about writing good CVs, communicating your value to employers and doing well in an interview.