Testing Web Security: Assessing the Security of Web Sites and Applications

I first picked this book up because the subject matter had a "new twist." After almost 30 years in Information Security the concept of actually testing the security systems we are paid to maintain interested me. I thought, O.K... get ready, in a few minutes I'll be knee deep in testing jargon and theory. Not so!! To my surprise this book is incredibly readable, partially because the author sprinkles great examples throughout the book and partially because his writing style is NOT "from on high to us mortals on earth." I was very pleasantly surprised. Besides readability I think Mr. Splain has covered the issue of content very well. In the section on test plans he includes the idea that system documentation is an integral part of test plan documentation. Not that this is a new concept; it should be second nature to us in the IT field. The point is, he has taken care with the details and it shows in the content of the book. Another key concept in the book is "defining the scope of the network testing by identifying an appropriate set of network segments." You can define the scope to anything, servers, buildings, color of the chassis. It's nice to see him make a statement like this, provide the technobabble to human speak definitions in the appendix (for those that need them) and then go forward and treat the components (all of them) as a system, not leaving bits lying around for someone else to deal with. Again, it's not that this is a new concept; it just shows how thorough he is with the subject. Looking at the chapter on Network Security "testing", the thought occurred to me that this chapter is a great basis for designing a stand alone network security review. It's outside the scope of the book, but all the components are there in one chapter.

The organization of the book is also nice. You don't have to read the book through to use the content. Each section (or chapter for that matter) can, if needed, stand on its own. The book is broken up into 5 sections; An Introduction, Planning the Testing Effort, Test Design, Test Implementation, and Appendixes. Each chapter is filled with check lists, concepts, web sites and software recommendations that can be woven into any testing effort. In the appendix you'll find a chapter on Additional Resources. This chapter brings into one place a myriad of books and web sites that would be invaluable to anyone from the seasoned professional to someone just entering the field.

I've performed a number of security reviews and the like over the years, but after reading this book I'm thinking of revising my methods. Even though Mr. Splain may not have meant his book to be used this way, I see it as a basis for setting up any security review for any network based system (not just for testing new systems). This may come as a shock to Mr. Splain (although I doubt it), but I think he's laid out the basis for carrying out a security consulting practice (not setting the practice up, but certainly proposing great methods for doing the security reviews).

Lastly, I have always been irritated by the popular concept that we "test" and go on. For my part, in security reviews, this is a blatant misconception that leads to more open systems than secure ones. Mr. Splain has endeared himself to me by proposing the idea throughout the book, that security testing is an ongoing process. I'm pleased to see this expressed in such a practical "how to" book. Well done.

Rating:
Summary: Testing Web Security Review
Review: Web Security Testing Review

I first picked this book up because the subject matter had a "new twist." After almost 30 years in Information Security the concept of actually testing the security systems we are paid to maintain interested me. I thought, O.K... get ready, in a few minutes I'll be knee deep in testing jargon and theory. Not so!! To my surprise this book is incredibly readable, partially because the author sprinkles great examples throughout the book and partially because his writing style is NOT "from on high to us mortals on earth." I was very pleasantly surprised. Besides readability I think Mr. Splain has covered the issue of content very well. In the section on test plans he includes the idea that system documentation is an integral part of test plan documentation. Not that this is a new concept; it should be second nature to us in the IT field. The point is, he has taken care with the details and it shows in the content of the book. Another key concept in the book is "defining the scope of the network testing by identifying an appropriate set of network segments." You can define the scope to anything, servers, buildings, color of the chassis. It's nice to see him make a statement like this, provide the technobabble to human speak definitions in the appendix (for those that need them) and then go forward and treat the components (all of them) as a system, not leaving bits lying around for someone else to deal with. Again, it's not that this is a new concept; it just shows how thorough he is with the subject. Looking at the chapter on Network Security "testing", the thought occurred to me that this chapter is a great basis for designing a stand alone network security review. It's outside the scope of the book, but all the components are there in one chapter.

The organization of the book is also nice. You don't have to read the book through to use the content. Each section (or chapter for that matter) can, if needed, stand on its own. The book is broken up into 5 sections; An Introduction, Planning the Testing Effort, Test Design, Test Implementation, and Appendixes. Each chapter is filled with check lists, concepts, web sites and software recommendations that can be woven into any testing effort. In the appendix you'll find a chapter on Additional Resources. This chapter brings into one place a myriad of books and web sites that would be invaluable to anyone from the seasoned professional to someone just entering the field.

I've performed a number of security reviews and the like over the years, but after reading this book I'm thinking of revising my methods. Even though Mr. Splain may not have meant his book to be used this way, I see it as a basis for setting up any security review for any network based system (not just for testing new systems). This may come as a shock to Mr. Splain (although I doubt it), but I think he's laid out the basis for carrying out a security consulting practice (not setting the practice up, but certainly proposing great methods for doing the security reviews).

Lastly, I have always been irritated by the popular concept that we "test" and go on. For my part, in security reviews, this is a blatant misconception that leads to more open systems than secure ones. Mr. Splain has endeared himself to me by proposing the idea throughout the book, that security testing is an ongoing process. I'm pleased to see this expressed in such a practical "how to" book. Well done.