Re: testing web app security

["A.D. Douma" <addouma () home nl>]

Books:
Hacking 'Web Applications' Exposed, Osborne
Web Hacking, Osborne
Secure Coding - Principles & Practises, O'Reilly
Exploiting Software, Addison Wesley
The Shellcoder's Handbook : Discovering and Exploiting Security Holes, John
Wiley & Sons

Software:
There are many automated web application auditing tools around. F.e. you can
get a 7 day trial
licesense on sanctuminc.com 's AppScan. Not a complete solution but a good
way to see what
shape the webapp is in. (in my opinion).

One site of course is www.owasp.org.

Best regards,

Andrew

----- Original Message ----- 
From: "Michael Cunningham" <crayola () optonline net>
To: <webappsec () securityfocus com>
Sent: Friday, March 19, 2004 8:33 PM
Subject: testing web app security


> Folks,
>
> I am going to have to take on the task of testing software
> applications my company produces as they roll through the
> QA/UAT process for security concerns (can't hire anyone and software
> to automate the testing seems to be very expensive). They are
> mainly web based applications with a database backend
> and some custom java and C programs. I am aware of how sql
> injection, buffer overflows, cross site scripting, and other
> security programming problems work, but I dont have a whole lot
> of experience applying this knowledge to application testing.
>
> Are there any training courses or documents/books you can
> suggest that would help me learn the skills I need to
> make this happen? Does anyone have a site that lists tools
> (open source preferred) That I could use to help me test these
> applications?
>
> Thanks for any help you can offer,
> Mike