An O’Reilly book on web security testing is about to be released. I was a previewer for the book and have been reading chunks of the book these past months. The book is highly readable and packed with ideas. I learned a lot previewing the copy and chatting and emailing with Paco Hope and Ben Walther. See O’Reilly. Cheers to Ben and Paco.

Here’s a look at the table of contents -

Back in 2001, I was lucky enough to be visiting James Bach’s Satisfice lab for the WHET 2 workshop. The night before, I was talking to James and Cem Kaner, when James showed us the box that some software came in and asked how we would test it. We both responded that we would read the claims on the box and attempt to verify those. I think this was the first time I heard the term “claims testing”. It was during this visit that I also saw an in car GPS system for the first time, in a car full of testers suggesting various tests involving potentially dangerous driving!

I hope no one tries to test some recent claims by a vendor of technology for New York City taxis. They now have GPS installed, as well as some other extras. It seems someone went for a taxi ride recently, found a PC screen mounted on the seat back, clicked past an error message, and did some mischief. They then blogged about it, then it was picked up in the media (via a comment on the blog post). Of course the technology company had to respond, both with a blog comment and to the media. The claims of the technology company include such gems as “ There are extensive contract-required security protocols in place, which have exceeded government and credit card industry standards and have been stringently tested by our internal and external security experts, which fully prevent access to anything other than media content files residing in the taxicab itself. There is no potential for any malicious activity,”.

[textile]
From Lesson 2 - Basic commands in Linux and Windows I learned three cool new Windows tools I didn't know about.

tracert host
Show the route that packets follow to reach the machine "host". The command tracert is the abbreviation of trace route, which allows you to learn the route that a packet follows from the origin, (your machine) to the destination machine. It can also tell you the time it takes to make each jump. At the most, 30 jumps will be listed. It is sometimes interesting to observe the names of the machines through which the packets travel.

route print
Display the routing table. The command route serves to define static routes, to erase routes or simply to see the state of the routes.

netstat
Displays information on the status of the network and established connections with remote machines.

[textile]
I'm doing some self education with security testing again. It's been a while. I'm back to Hacker High School working the lessons.

Today, it's fun with Google. I can't hack any real sites, so I thought I would try to find stuff on some of my sites. I found a lot of good detail by reading Google Hacking Mini-Guide by Johnny Long.

[textile] Crap. That's what I have to say. First paragraph:

We value the trust people place in |Company|. Regretfully, we have learned that a computer, which contained information about you including your name, address, Social Security Number from your |Company| inquiry or application on |Date|, is missing and may have been stolen. The computer had two layers of security, and we have no indication that the information has been accessed or misused.

[textile]
First, a must read article Anatomy Of A Break-In by Ira Winkler. What an incredible experience report.

Second, I've been reading Security in Computing, 3rd Edition by Pfleeger and Pfleeger. I'm reading this text for a class. In general, I hate textbooks. I think they tend to say in 700 pages what a good author can say in 200 pages. I'm pleased to say that (for the most part) I find this one well written, challenging, and informative.

[textile] Last month we held the December session of the Indianapolis Workshop on Software Testing. The attendees were:

• Andrew Andrada
• Charlie Audritsh
• Mike Goempel
• Michael Kelly
• Marc Labranche
• Kenn Petty
• Vishal Pujary
• Tate Stuntz

The topic we focused on for the five-hour workshop was security testing.

[textile]
June 2005's professional tester is now out and came through my door this morning, interesting trick i thought, till I remembered the invention of the letter box.
There are a couple of articles of interest, not all on this issues slant on security testing either.

Three articles really stand out for me this time round:

"Julian Harty":http://www.commercetest.com/: A Primer in software security testing.