At the fabulous, swash-buckling Ministry Of Testing, Bangalore,
we had had Sylvia Killinen present on Security Testing! You can
watch the presentation recording here:
I am sharing a few questions that I wanted to ask Sylvia (although
I was driving at the time the crowdcast happened, thanks much to
Aine for covering me!).
Please feel free to add your questions too so that Sylvia can answer
them!
I apologize for the broken links in this post - the filter would not permit me to have all the ones I wanted to add.
Key experts: There aren’t a lot of dedicated, vocal security testers (yet!) but ordinary test practices can and do apply - keep talking with your favorite voices in testing, and apply what you already know to security topics! In addition, searching for security practitioners on any social media site will likely reveal some interesting writers.
You can work with your AppSec team to define and test security requirements as early as possible. Some requirements are probably known even before development begins, and you can write broad test cases based on those, then tune them to specific projects.
For web application security testing, I highly recommend The Web Application Hacker’s Handbook. Shostack’s Threat Modeling is an extremely useful guide to the practice as well.
I highly recommend reading https://blog.grimm-co.com/ and Schneier on Security for interesting security content. I’m not aware of any blogs specifically about security testing.
You can find me on Twitter, and there are many other testers available there also. @/maaretp, @/noahsussman, and @/lisacrispin come to mind.
Sadly, I am not aware of any regular webinars on this topic! (Anyone?)
You can play around in many websites and applications! I strongly recommend the challenges at overthewire(.)org (do them in the recommended order if this is all brand new) or, if you have a specific subject in mind, try searching for it on tryhackme(.)com/.
The Open Web Application Security Project (owasp(.)org) maintains extensive repositories, documentation, and tooling, all open source.
Sadly, there’s not - I like to watch various threat intelligence websites (such as BleepingComputer) to try and stay abreast of what’s happening in the world of information security.
Sorry, no; all of the test plans I have worked on are confidential.
I should really set one of these up.
OWASP ZAP (Zed Attack Proxy) is one of my favorites. BurpSuite is another excellent proxy. In addition, you can set up a Kali Linux VM to explore a huge variety of hacking and testing tools.
Hopefully the presentation answered this one - but in case it didn’t…
Threat model your application to find vulnerabilities at an architectural level.
If you are in a CI/CD process or otherwise do not have stable architecture, threat model individual data flows.
Prioritize the threats by risk.
Write and automate security test cases for the most critical threats first!