Security, or lack of it, is now perceived as a major problem for any form of on-line transaction. Whereas no system will ever be 100_CS_ secure, there are a number of security measures that can, and should, be implemented to ensure that the users of a Web site can be confident their data is reasonably protected. This course introduces attendees to the security problems associated with Web sites and how to test the security measures which have been put into place.

The course is instructor-led with lecture presentations being supported by hands-on testing of a number of fictitious Web sites, which allow reinforcement of learning and enhances the understanding process. In addition, various security testing tools will be demonstrated.

The course is designed for software testers and test managers who will be involved in security testing of Web sites and applications.

A good knowledge of Internet architecture and Web software testing. Attendance on the Web Software Testing course would be an ideal prerequisite.

Upon successful completion of this course, students will be able to:

Examine a security policy and specify the types of tests necessary to ensure that the requirements contained in the policy are being met.

Scope security testing and create tests, test cases and test scripts.

Communicate adequately with appropriate technical personnel to ensure that the correct test or production environments are available.

Understand the capabilities of simple security testing tools and make a significant contribution to tool selection.

Execute basic security tests and understand the results.

Communicate with security professionals and external agencies where there is a requirement for detailed, focused security testing.

How big is the problem, where is the problem
Common attack methods
Security policies, building a policy
Hackers and crackers
Security testing techniques
Manual inspections and reviews - gap analysis
Threat modelling - attack trees and use/misuse cases
A framework for testing

Communication protocol models, the four-layer model
Packets, IP addresses, IP v4 and v6
Transmission Control Protocol (TCP), three-way handshake
HyperText Transfer Protocol (HTTP)
Universal Resource Locators (URL), Domain Name System (DNS)
Wired networks, wireless networks, IP spoofing
Secure Sockets Layer (SSL) and Transport Layer Security (TLS)
Encryption, Public Key Infrastructure (PKI), SSL sessions
Wireless encryption

What firewalls can and can™t do
Packet filtering, screening routers
Proxy servers
Network address translation
Virtual private networks
Types of firewall configuration
Dual-homed host, screened host firewall system, screened subnet firewall system

Mapping out the network topology, scoping the testing effort
IP address inventory, ping sweeps
Service/socket inventory, port scanning
Hardening the system software
Spiders, robots and crawlers
Web application fingerprinting
Using site maps
Testing source code
Testing for error code
Testing for weak cipher levels
Testing SSL certificate validity
Testing for file extension handling
Old, backup and unreferenced files, server logs
Evaluating intruder detection, intruder detection systems

Credentials transport testing
Testing for user enumeration
Default or guessable user accounts, brute force
Direct page requests, parameter modification, session ID prediction
File and directory privileges
Password remember and reset
Social engineering and insiders
Logout testing, cached pages

Analysis of session management
Cookie reverse engineering
Cookie manipulation by guessing
Cookie manipulation using brute force
Overflow
Exposed session tokens

Cross site scripting
HTTP methods and cross site tracing
SQL injection
Relational databases, Structured Query Language (SQL)
Testing for SQL injection
Testing for authorisation bypass attacks
Testing for Select statement attacks
Testing for Insert statement attacks
SSI injection
Xpath injection
Dynamic code
Buffer overflows