4.0

5
Testing Guide Foreword - By Eoin Keary
0
Testing
Guide Foreword
The problem of insecure software is perhaps the
most important technical challenge of our time. The
dramatic rise of web applications enabling business,
social networking etc has only compounded the
requirements to establish a robust approach to writing
and securing our Internet, Web Applications and Data.
Foreword by Eoin Keary, OWASP Global Board
The problem of insecure software is perhaps the most important
technical challenge of our time. The dramatic rise of web applications
enabling business, social networking etc has only compounded
the requirements to establish a robust approach to writing
and securing our Internet, Web Applications and Data.
At The Open Web Application Security Project (OWASP), we’re
trying to make the world a place where insecure software is the
anomaly, not the norm. The OWASP Testing Guide has an important
role to play in solving this serious issue. It is vitally important
that our approach to testing software for security issues is based
on the principles of engineering and science. We need a consistent,
repeatable and defined approach to testing web applications.
A world without some minimal standards in terms of engineering
and technology is a world in chaos.
It goes without saying that you can’t build a secure application
without performing security testing on it. Testing is part of a wider
approach to building a secure system. Many software development
organizations do not include security testing as part of their
standard software development process. What is even worse is
that many security vendors deliver testing with varying degrees
of quality and rigor.
Security testing, by itself, isn’t a particularly good stand alone
measure of how secure an application is, because there are an infinite
number of ways that an attacker might be able to make an
application break, and it simply isn’t possible to test them all. We
can’t hack ourselves secure and we only have a limited time to test
and defend where an attacker does not have such constraints.
In conjunction with other OWASP projects such as the Code review
Guide, the Development Guide and tools such as OWASP ZAP, this
is a great start towards building and maintaining secure applications.
The Development Guide will show your project how to architect
and build a secure application, the Code Review Guide will tell
you how to verify the security of your application’s source code,
and this Testing Guide will show you how to verify the security of
your running application. I highly recommend using these guides
as part of your application security initiatives.
Why OWASP?
Creating a guide like this is a huge undertaking, requiring the expertise
of hundreds of people around the world. There are many
different ways to test for security flaws and this guide captures
the consensus of the leading experts on how to perform this testing
quickly, accurately, and efficiently. OWASP gives like minded
security folks the ability to work together and form a leading practice
approach to a security problem.
The importance of having this guide available in a completely free
and open way is important for the foundations mission. It gives
anyone the ability to understand the techniques used to test for
common security issues. Security should not be a black art or
closed secret that only a few can practice. It should be open to all
and not exclusive to security practitioners but also QA, Developers