Web Software and Security Testing

Course:  WSST
Duration:  3 Days
Level:  I
Course Summary

Security, or lack of it, is now perceived as a major problem for any form of on-line transaction. Whereas no system will ever be 100% secure, there are a number of security measures that can, and should, be implemented to ensure that the users of a Web site can be confident their data is reasonably protected.

This course introduces attendees to the security problems associated with Web sites and how to test the security measures which have been put into place.

« Hide The Details
Topics Covered In This Course

Testing Security

  • How big is the problem, where is the problem
  • Common attack methods
  • Security policies, building a policy
  • Hackers and crackers
  • Security testing techniques
  • Manual inspections and reviews - gap analysis
  • Threat modeling - attack trees and use/misuse cases
  • A framework for testing

Internet Architecture

  • Basic Internet architecture
  • Communication protocol models, the four-layer model
  • Packets, IP addresses, IP v4 and v6
  • Transmission Control Protocol (TCP), three-way handshake
  • HyperText Transfer Protocol (HTTP)
  • Universal Resource Locators (URL), Domain Name System (DNS)
  • Intranets and extranets
  • Virtual Private Networks

Wired and Wireless Networks

  • Wired networks, wireless networks, IP spoofing
  • Secure Sockets Layer (SSL) and Transport Layer Security (TLS)
  • Encryption, Public Key Infrastructure (PKI)
  • SSL and TLS Sessions
  • Wireless encryption

Code Quality Assurance

  • Quality control and quality assurance
  • Unit testing
  • Hypertext Markup Language (HTML)
  • HTML validation
  • Images
  • Cascading Style Sheets (CSS)
  • Client-side scripting
  • Extensible Markup Language (XML)

Browsers and Web Servers

  • Client hardware and software
  • Different browsers (Internet Explorer, Firefox, Chrome, Opera, Safari, etc.)
  • Browser modes
  • Server software
  • Choosing the test environment

Navigation

  • Static and dynamic links
  • Framesets
  • Inline frames
  • Internal search engines
  • Site maps
  • Site navigation tools

Client-side Functionality

  • Forms
  • Client-side and server-side validation
  • AJAX
  • Client-side pop-ups
  • Client-side objects
  • Code signing
  • Java and the Java Virtual Machine

Server-side Functionality

  • Server-side includes
  • Dynamic page generation (ASP, PHP, Python, Ruby, etc.)
  • Common Gateway Interface (CGI)
  • Database interaction
  • Database middleware

Firewalls

  • What firewalls can and can?t do
  • Packet filtering, screening routers
  • Proxy servers
  • Network address translation
  • Types of firewall configuration
  • Dual-homed host, screened host firewall system, screened subnet firewall system

Information Gathering

  • Mapping out the network topology, scoping the testing effort
  • IP address inventory, ping sweeps
  • Service/socket inventory, port scanning
  • Hardening the system software
  • Spiders, robots and crawlers
  • Web application fingerprinting
  • Using site maps
  • Testing source code
  • Testing for error code
  • Testing for weak cipher levels
  • Testing SSL certificate validity
  • Testing for file extension handling
  • Old, backup and unreferenced files, server logs
  • Evaluating intruder detection, intruder detection systems

Authentication Testing

  • Credentials transport testing
  • Testing for user enumeration
  • Default or guessable user accounts, brute force
  • Direct page requests, parameter modification, session ID prediction
  • File and directory privileges
  • Password remember and reset
  • Social engineering and insiders
  • Logout testing, cached pages

Session Management

  • Maintaining a session
  • Cookies
  • Private browsing
  • Analysis of session management
  • Cookie reverse engineering
  • Cookie manipulation by guessing
  • Cookie manipulation using brute force
  • Overflow
  • Exposed session tokens

Data Validation Testing

  • Cross site scripting
  • HTTP methods and cross site tracing
  • SQL injection
  • Testing for authorization bypass attacks
  • Testing for Select statement attacks
  • Testing for Insert statement attacks
  • Buffer overflows
What You Can Expect

In this course, you will learn how to:

  • Examine a security policy and specify the types of tests necessary to ensure that the requirements contained in the policy are being met.
  • Scope security testing and create tests, test cases and test scripts.
  • Communicate adequately with appropriate technical personnel to ensure that the correct test or production environments are available.
  • Understand the capabilities of simple security testing tools and make a significant contribution to tool selection.
  • Execute basic security tests and understand the results.
  • Communicate with security professionals and external agencies where there is a requirement for detailed, focused security testing.
Who Should Take This Course

Software testers, auditors, members of QA teams and test managers who will be involved in security testing and auditing of Web sites and applications.

Recommended Prerequisites

A basic knowledge of the Internet and software testing.

Training Style

Instructor led with 60% lecture and 40% lab.

« Hide The Details
Related Courses
Code Course Title Duration Level
STCDEV
Software Testing Considerations for Developers
2 Days
I
Details
UASTF
Software Testing/User Acceptance Testing Fundamentals
3 Days
I
Details
STQA
Software Testing and Quality Assurance Techniques
3 Days
I
Details
WSPT
Web Software and Performance Testing
3 Days
I
Details
JWSEC
Java Web Security
4 Days
II
Details

Every student attending a Verhoef Training class will receive a certificate good for $100 toward their next public class taken within a year.

You can also buy "Verhoef Vouchers" to get a discounted rate for a single student in any of our public or web-based classes. Contact your account manager or our sales office for details.

Schedule For This Course
There are currently no public sessions scheduled for this course. We can schedule a private class for your organization just a couple of weeks from now. Or we can let you know the next time we do schedule a public session.
Notify me the next time this course is confirmed!
Can't find the course you want?
Call us at 800.533.3893, or
email us at [email protected]