Article: "Security Testing Demystified"

From: Debasis Mohanty (mail@hackingspirits.com)
Date: Wed Jan 18 2006 - 15:40:37 EST

• Next message: Bojan Zdrnja: "Re: Pen testing Fiber Channel"
• Previous message: John Madden: "PHP and MySQL"
• Next in thread: Doug Fox: "Re: Article: "Security Testing Demystified""
• Reply: Doug Fox: "Re: Article: "Security Testing Demystified""
• Reply: Dotzero: "Re: Article: "Security Testing Demystified""
• Maybe reply: Bob Radvanovsky: "RE: Article: "Security Testing Demystified""
• Maybe reply: Bob Radvanovsky: "RE: Article: "Security Testing Demystified""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello List Members,

This is an announcement for the release of the article called "Security
Testing Demystified". This article has been written in very simple language
which can be understood not only by security testers but also can be read &
understood by non-technical managers as well.

Just to summarise, this article doesn't talk anything specific about a
particular type of attack rather demonstrate a holistic approach for
security testing. At a broader level it covers the following areas -

- Anatomy of Security Testing
o Understanding the product and its architecture
o Identifying possible attack vectors
o Preparation of test cases
o Vulnerability Research & Discovery
o Exploitation of vulnerabilities found
o Compilation of final security testing report
o Final discussions of bug findings and fixes

- Briefs about various mistakes and assumptions made by programmers
o Talks about why HTTP-REFERRER is a bad thing to rely on
o How important it is to validate all client side info sent to the
server?
o [. . .]

- How to identify potential attack vectors?
- How wild and evil imaginations are important attributes for a
security tester?
- Anatomy of a Security Testing Report
- Why a final live hack demo is a good thing to do?

I started writing this article in the month of march, 2005 however, due to
time constraints I got almost delayed by 10 months. This article can be
downloaded from -
http://www.hackingspirits.com/eth-hac/papers/whitepapers.asp

Feel free to mail me for any kind of queries or suggestions at - debasis
[at] hackingspirits.com or debasis_mty [at] yahoo.com

Regards,
Debasis Mohanty
www.hackingspirits.com

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Next message: Bojan Zdrnja: "Re: Pen testing Fiber Channel"
• Previous message: John Madden: "PHP and MySQL"
• Next in thread: Doug Fox: "Re: Article: "Security Testing Demystified""
• Reply: Doug Fox: "Re: Article: "Security Testing Demystified""
• Reply: Dotzero: "Re: Article: "Security Testing Demystified""
• Maybe reply: Bob Radvanovsky: "RE: Article: "Security Testing Demystified""
• Maybe reply: Bob Radvanovsky: "RE: Article: "Security Testing Demystified""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:23 EDT