Chapter 10. Security Testing
Currently there is a false sense of security that exists within the IT industry. With the given state of software today, it is impossible to build web applications that are 100 percent secure. Given enough time, knowledge, and effort someone will be able to find a weak spot (also known as a hole or exploit) and compromise your application. Coming to terms with this realization sooner, rather than later, will help you develop web applications much more defensively.
In my opinion, security testing is the most difficult testing discipline for web applications. Not only do you need to test the code you have written to ensure that it is secure, you must also ensure that all the applications within your operating environment (operating system, web server, programming frameworks) are secure also. The initial learning curve for testing the security of web applications is steep, and the type of "mindset" that is required to try to compromise a system is a difficult role to assume. For this reason, many development shops outsource security assessments and security testing to firms that specialize in this discipline. When security testing is performed by a company that specializes in security, not only do you have experts performing the tests, you also have a third party that comes into the project with no preconceived notions or bias.
However, just because security testing is hard and has a large initial learning curve to get started, doesn't mean you shouldn't ...
Get Testing ASP.NET Web Applications now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
