4.0
1NSchAb
1NSchAb
- No tags were found...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
5<br />
Testing Guide Foreword - By Eoin Keary<br />
0<br />
Testing<br />
Guide Foreword<br />
The problem of insecure software is perhaps the<br />
most important technical challenge of our time. The<br />
dramatic rise of web applications enabling business,<br />
social networking etc has only compounded the<br />
requirements to establish a robust approach to writing<br />
and securing our Internet, Web Applications and Data.<br />
Foreword by Eoin Keary, OWASP Global Board<br />
The problem of insecure software is perhaps the most important<br />
technical challenge of our time. The dramatic rise of web applications<br />
enabling business, social networking etc has only compounded<br />
the requirements to establish a robust approach to writing<br />
and securing our Internet, Web Applications and Data.<br />
At The Open Web Application Security Project (OWASP), we’re<br />
trying to make the world a place where insecure software is the<br />
anomaly, not the norm. The OWASP Testing Guide has an important<br />
role to play in solving this serious issue. It is vitally important<br />
that our approach to testing software for security issues is based<br />
on the principles of engineering and science. We need a consistent,<br />
repeatable and defined approach to testing web applications.<br />
A world without some minimal standards in terms of engineering<br />
and technology is a world in chaos.<br />
It goes without saying that you can’t build a secure application<br />
without performing security testing on it. Testing is part of a wider<br />
approach to building a secure system. Many software development<br />
organizations do not include security testing as part of their<br />
standard software development process. What is even worse is<br />
that many security vendors deliver testing with varying degrees<br />
of quality and rigor.<br />
Security testing, by itself, isn’t a particularly good stand alone<br />
measure of how secure an application is, because there are an infinite<br />
number of ways that an attacker might be able to make an<br />
application break, and it simply isn’t possible to test them all. We<br />
can’t hack ourselves secure and we only have a limited time to test<br />
and defend where an attacker does not have such constraints.<br />
In conjunction with other OWASP projects such as the Code review<br />
Guide, the Development Guide and tools such as OWASP ZAP, this<br />
is a great start towards building and maintaining secure applications.<br />
The Development Guide will show your project how to architect<br />
and build a secure application, the Code Review Guide will tell<br />
you how to verify the security of your application’s source code,<br />
and this Testing Guide will show you how to verify the security of<br />
your running application. I highly recommend using these guides<br />
as part of your application security initiatives.<br />
Why OWASP?<br />
Creating a guide like this is a huge undertaking, requiring the expertise<br />
of hundreds of people around the world. There are many<br />
different ways to test for security flaws and this guide captures<br />
the consensus of the leading experts on how to perform this testing<br />
quickly, accurately, and efficiently. OWASP gives like minded<br />
security folks the ability to work together and form a leading practice<br />
approach to a security problem.<br />
The importance of having this guide available in a completely free<br />
and open way is important for the foundations mission. It gives<br />
anyone the ability to understand the techniques used to test for<br />
common security issues. Security should not be a black art or<br />
closed secret that only a few can practice. It should be open to all<br />
and not exclusive to security practitioners but also QA, Developers