4.0

5Testing Guide Foreword - By Eoin Keary0TestingGuide ForewordThe problem of insecure software is perhaps themost important technical challenge of our time. Thedramatic rise of web applications enabling business,social networking etc has only compounded therequirements to establish a robust approach to writingand securing our Internet, Web Applications and Data.Foreword by Eoin Keary, OWASP Global BoardThe problem of insecure software is perhaps the most importanttechnical challenge of our time. The dramatic rise of web applicationsenabling business, social networking etc has only compoundedthe requirements to establish a robust approach to writingand securing our Internet, Web Applications and Data.At The Open Web Application Security Project (OWASP), we’retrying to make the world a place where insecure software is theanomaly, not the norm. The OWASP Testing Guide has an importantrole to play in solving this serious issue. It is vitally importantthat our approach to testing software for security issues is basedon the principles of engineering and science. We need a consistent,repeatable and defined approach to testing web applications.A world without some minimal standards in terms of engineeringand technology is a world in chaos.It goes without saying that you can’t build a secure applicationwithout performing security testing on it. Testing is part of a widerapproach to building a secure system. Many software developmentorganizations do not include security testing as part of theirstandard software development process. What is even worse isthat many security vendors deliver testing with varying degreesof quality and rigor.Security testing, by itself, isn’t a particularly good stand alonemeasure of how secure an application is, because there are an infinitenumber of ways that an attacker might be able to make anapplication break, and it simply isn’t possible to test them all. Wecan’t hack ourselves secure and we only have a limited time to testand defend where an attacker does not have such constraints.In conjunction with other OWASP projects such as the Code reviewGuide, the Development Guide and tools such as OWASP ZAP, thisis a great start towards building and maintaining secure applications.The Development Guide will show your project how to architectand build a secure application, the Code Review Guide will tellyou how to verify the security of your application’s source code,and this Testing Guide will show you how to verify the security ofyour running application. I highly recommend using these guidesas part of your application security initiatives.Why OWASP?Creating a guide like this is a huge undertaking, requiring the expertiseof hundreds of people around the world. There are manydifferent ways to test for security flaws and this guide capturesthe consensus of the leading experts on how to perform this testingquickly, accurately, and efficiently. OWASP gives like mindedsecurity folks the ability to work together and form a leading practiceapproach to a security problem.The importance of having this guide available in a completely freeand open way is important for the foundations mission. It givesanyone the ability to understand the techniques used to test forcommon security issues. Security should not be a black art orclosed secret that only a few can practice. It should be open to alland not exclusive to security practitioners but also QA, Developers