Security issues are becoming the gravest concern of many companies. Despite this fact, security testing often remains the least understood and least well-defined testing activity. It is a broad effort that requires domains of expertise beyond traditional software testing. This chapter contains a discussion of security concepts and outlines the role of testing in the big picture of security testing. It also discusses the application of security-related testing ideas and techniques to Web-based applications, including suggestions for exposing common security vulnerabilities at the application level.

For application producers and users to feel confident with a Web-based system, they must have a reasonable level of comfort with the system's security. Unfortunately, a 100 percent secure Web-based system does not exist. Web systems include far too many variables to enable the complete removal of all their vulnerabilities. Software, for example, one of the key components of the Web system, can never be bug-free because it's impossible to completely test a system. As a result, bugs in software components create vulnerabilities of the Web system. Additionally, ...