** Web Security Testing Cookbook. By Paco Hope and Ben Walther; published by O’Reilly Media, www.oreilly.com (Web); 320 pages; $39.99.
Given the dramatic increase in Web application attacks and the number of proprietary databases accessible via the Web, application security testing is critical for any Web-facing enterprise. Their developers need to know how their applications can be “broken” and how these Web services can be fixed so as to avoid compromise.
Web Security Testing Cookbook’s focus is how Web applications can be tested, with an emphasis on security; the book is of the most use to application developers and security testers, not penetration testers. Developers responsible for writing unit tests for their Web components will appreciate the myriad free tools that are available via the book. Quality assurance professionals who are testing entire Web applications will be interested in the automation and development of test cases that can easily be consolidated in regression testing.
Unlike ad hoc security tests, the book’s “recipes” are repeatable, concise, and systematic—perfect for integrating into a regular test suite. They cover the basics from observing messages between clients and servers to multi-layered tests that script logins and execution of Web application features.
Unfortunately, as often happens with technical texts, many of the tools described have been updated since the original writing, and many have been replaced by more powerful applications. Having said that, some older tools recommended in the book remain effective and are still used widely. A clear omission from the book is the Metasploit Framework, a “white hat” effort to develop exploit code to find system vulnerabilities. The topic may, however, have been judged too complicated for some readers.
Web Security Testing Cookbook does a good job of assisting developers and testers in their quest to improve the way Web applications are deployed and to protect the precious data that resides on their Web sites. Those developers and quality assurance testers who are not already familiar with and practicing effective security design strategies should read this book and apply the recipes found therein.
Reviewer: Don Fergus is CSO of Intekras, Inc. Over his 30 years in IT audit, risk management, and system/network security, Fergus has worked for a number of global banks, communications providers, and high-risk enterprises. He is a member of the ASIS International Information Technology Security Council.