AUDIENCE:   The course is designed for software testers and test managers who will be involved in security testing of Web sites and applications. PREREQUISITES:   A good knowledge of Internet architecture and Web software testing. Attendance on the Web Software Testing course would be an ideal prerequisite. DURATION:   2 days. Lecture presentations are supported by a realistic case study, based on a fictitious Web site, which allows reinforcement of learning and enhances the understanding process. In addition, various security testing tools will be demonstrated. OBJECTIVES:   Security, or lack of it, is now perceived as a major problem for any form of on-line transaction. Whereas no system will ever be 100% secure, there are a number of security measures that can, and should, be implemented to ensure that the users of a Web site can be confident their data is reasonably protected. This course introduces attendees to the security problems associated with Web sites and how to test the security measures which have been put into place. At the end of the course attendees will be able to: - Examine a security policy and specify the types of tests necessary to ensure that the requirements contained in the policy are being met. - Scope security testing and create tests, test cases and test scripts. - Communicate adequately with appropriate technical personnel to ensure that the correct test or production environments are available. - Understand the capabilities of simple security testing tools and make a significant contribution to tool selection. - Execute basic security tests and understand the results. - Communicate with security professionals and external agencies where there is a requirement for detailed, focussed security testing. COURSE CONTENT:   Testing Security How Big is the Problem, Where is the Problem, Security Policies, Building a Policy, BS7799, ITSEC, Common Criteria, Hackers and Crackers, Security Testing Techniques, Manual Inspections & Reviews - Gap Analysis, Threat Modelling - Attack Trees, A Framework for Testing. Network Architecture Communication Protocol Models, The Four-layer Model, Packets, IP Addresses, IP v4 and v6, Transmission Control Protocol, Three-Way Handshake, HyperText Transfer Protocol, Universal Resource Locators, Domain Name System, Wired Networks, Wireless Networks, IP Spoofing, Secure Sockets Layer, Encryption, Public Key Infrastructure, SSL Sessions, Wireless Encryption. Firewalls What Firewalls Can and Can’t Do, Packet Filtering, Screening Routers, Proxy Servers, Network Address Translation, Virtual Private Networks, Sacrificial Lamb Configuration, Dual-homed Host, Screened Host Firewall System, Screened Subnet Firewall System. Information Gathering Mapping Out the Network Topology, Scope of the Testing Effort, IP Address Inventory, Ping Sweeps, Service/Socket Inventory, Port Scanning, Hardening the System Software, Web Application Fingerprinting, Testing for Error Code, Testing for Weak Cipher Levels, Testing SSL Certificate Validity, Application Code, Server Logs, Evaluating Intruder Detection, Intruder Detection Systems. Authentication Testing Default or Guessable User Accounts, Brute Force, Direct Page Requests, Parameter Modification, Session ID Prediction, File and Directory Privileges, Password Remember and Reset, Social Engineering and Insiders, Logout Testing, Cached Pages. Session Management Analysis of Session Management, Cookie Reverse Engineering, Cookie Manipulation by Guessing, Cookie Manipulation using Brute Force, Overflow, Exposed Session Tokens. Data Validation Testing Cross Site Scripting, HTTP Methods and Cross Site Tracing, SQL Injection, Relational Databases, Structured Query Language, Testing for SQL Injection, Testing for Authorisation Bypass Attacks, Testing for SELECT Statement Attacks, Testing for INSERT Statement Attacks, SSI Injection, XPath Injection, Dynamic Code, Buffer Overflows. JJ07/02