Turns out this is really more of a basics of security type of book. This would be ideal for someone either new to testing, or new to security. If pitched as such, I'd probably give it a higher ranking, but if you're already comfortable with say, the web testing tools and techniques described in Hacking Exposed, then there's not much point in buying this book.


An Excellent Read & Reference for Testers and Test Managers   February 25, 2004
 1 out of 1 found this review helpful

Before I read Steve's book, I thought that testing the security of a Web site required huge amounts of technical knowledge including how certain operating systems, web servers, etc., actually worked. Having read the book, I realise that someone needs to know - but it needn't be me. As a tester, my job is to see if the security measures that have been put into place actually do what they are supposed to and in this context the book exceeds my requirements and expectations.

In addition, one of the problems in testing security is trying to ensure that the site does not open itself up to any unauthorised activity - accidental or not. How do you ensure 'complete coverage' of the virtually infinite number of event combinations and therefore test cases? This problem is addressed in the Test Planning and Risk Analysis sections and placed properly and pragmatically into context.

Then we get into the meat of test design. I like the way we start with scoping. What are we trying to secure and from what or whom? To answer the latter part of the question, the book delves into types of attacks - which then helps us to think about what and how to test. I particularly like the checklists (OK, I'm a checklist fan) and the lists of software tools which are available to carry out things like IP address sweeps, port scans, etc.

This part of the book has separate chapters for networks, system software, client and server-side application software. Each chapter is virtually stand-alone which makes it a good reference as well as a good read. I also like the fact that Steve has not left out the social engineering aspect of security. Finally, Test Implementation addresses the usual practical problems associated with test execution but with all the emphasis on security.

Steve Splaine has distilled into one book enough information to give testers and test managers confidence in the planning, design and execution of Web security testing. An excellent read and reference.


Does exactly what it says on the box!   April 15, 2003
 3 out of 4 found this review helpful

Steve’s book adds a practical degree of methodical approaches and structure, common to general Software Testing principles, to an area that is often perceived as something of a ‘Dark Art’. This book now makes Security Testing far more accessible with this excellent framework for implementing effective Security Testing.

*For Testing Professionals* new to Web-Security, Steve’s book is an excellent introduction, provides a pragmatic approach to planning and organising your Security testing and is a portal to many resources that will allow you to then learn about specific technologies and security testing tools.

*Seasoned Security professionals* will find Steve’s plain-speaking and non-patronising writing style both refreshing and informative, especially in how to use Testing methodology to validate the integrity of your security architectures. Many may even find it entertaining, especially as they read the examples of the various misconceptions of Internet-security.

Testing Security is not a new concept and there are many books that cover the technicalities of how a hacker might attempt to subvert the security of specific technologies. What has been missing for a long time is a book that addresses the approach to planning and delivering an effective Security Testing programme.

I have personally managed the testing for numerous projects where security testing was an integral part of the Quality Assurance and Testing activities. If this book were available when I first became involved in Security Testing, it certainly would have saved me considerable time as it would have given me a head-start to designing my own checklists and templates. It has certainly helped me to enhance them.

"Testing Web Security" is easy to read, allowing you to comfortably skip to the sections most relevant to your needs and experience and it is almost instantly useful with the numerous templates, checklists and links provided.

This is a book that anyone involved or even interested in Security Testing will gain something from.


Testing Web Security   January 24, 2003
 6 out of 7 found this review helpful

I first picked this book up because the subject matter had a "new twist." After almost 30 years in Information Security the concept of actually testing the security systems we are paid to maintain interested me. I thought, O.K... get ready, in a few minutes I'll be knee deep in testing jargon and theory. Not so!! To my surprise this book is incredibly readable, partially because the author sprinkles great examples throughout the book and partially because his writing style is NOT "from on high to us mortals on earth." I was very pleasantly surprised. Besides readability I think Mr. Splain has covered the issue of content very well. In the section on test plans he includes the idea that system documentation is an integral part of test plan documentation. Not that this is a new concept; it should be second nature to us in the IT field. The point is, he has taken care with the details and it shows in the content of the book. Another key concept in the book is "defining the scope of the network testing by identifying an appropriate set of network segments." You can define the scope to anything, servers, buildings, color of the chassis. It's nice to see him make a statement like this, provide the technobabble to human speak definitions in the appendix (for those that need them) and then go forward and treat the components (all of them) as a system, not leaving bits lying around for someone else to deal with. Again, it's not that this is a new concept; it just shows how thorough he is with the subject. Looking at the chapter on Network Security "testing", the thought occurred to me that this chapter is a great basis for designing a stand alone network security review. It's outside the scope of the book, but all the components are there in one chapter.
The organization of the book is also nice. You don't have to read the book through to use the content. Each section (or chapter for that matter) can, if needed, stand on its own. The book is broken up into 5 sections; An Introduction, Planning the Testing Effort, Test Design, Test Implementation, and Appendixes. Each chapter is filled with check lists, concepts, web sites and software recommendations that can be woven into any testing effort. In the appendix you'll find a chapter on Additional Resources. This chapter brings into one place a myriad of books and web sites that would be invaluable to anyone from the seasoned professional to someone just entering the field.
I've performed a number of security reviews and the like over the years, but after reading this book I'm thinking of revising my methods. Even though Mr. Splain may not have meant his book to be used this way, I see it as a basis for setting up any security review for any network based system (not just for testing new systems). This may come as a shock to Mr. Splain (although I doubt it), but I think he's laid out the basis for carrying out a security consulting practice (not setting the practice up, but certainly proposing great methods for doing the security reviews).
Lastly, I have always been irritated by the popular concept that we "test" and go on. For my part, in security reviews, this is a blatant misconception that leads to more open systems than secure ones. Mr. Splain has endeared himself to me by proposing the idea throughout the book, that security testing is an ongoing process. I'm pleased to see this expressed in such a practical "how to" book. Well done.