You can’t control what you can’t measure. Measuring Security: the Economics of Insecure SoftwareĪ basic tenet of software engineering is summed up in a quote from Controlling Software Projects: Management, Measurement, and Estimates by Tom DeMarco: Chapter 4 covers how to test for specific vulnerabilities (e.g., SQL Injection) by code inspection and penetration testing. Chapter 3 presents the OWASP Testing Framework and explains its techniques and tasks in relation to the various phases of the software development life cycle. It also covers the principles of successful testing and testing techniques, best practices for reporting, and business cases for security testing. The rest of this guide is organized as follows: this introduction covers the pre-requisites of testing web applications and the scope of testing. However, OWASP is able to take the high ground and change culture over time through awareness and education based on consensus and experience. The group fully understands that not everyone will agree upon all of these decisions. As such, hard decisions had to be made about the appropriateness of certain testing techniques and technologies. ![]() The framework does not simply highlight areas of weakness, although the latter is certainly a by-product of many of the OWASP guides and checklists. This framework helps organizations test their web applications in order to build reliable and secure software. Many industry experts and security professionals, some of whom are responsible for software security at some of the largest companies in the world, are validating the testing framework. However, the group is very satisfied with the results of the project. It was also a challenge to change the focus of web application testing from penetration testing to testing integrated in the software development life cycle. It was a challenge to obtain consensus and develop content that allowed people to apply the concepts described in the guide, while also enabling them to work in their own environment and culture. Writing the Testing Guide has proven to be a difficult task. The Testing Guide describes in detail both the general testing framework and the techniques required to implement the framework in practice. Readers can use this framework as a template to build their own testing programs or to qualify other people’s processes. The project has delivered a complete testing framework, not merely a simple checklist or prescription of issues that should be addressed. The aim of the project is to help people understand the what, why, when, where, and how of testing web applications. The OWASP Testing Project has been in development for many years.
0 Comments
Leave a Reply. |