Saturday, 4 September 2010

Welcome to my Penetration Testing for Developers blog

This blog is about penetration testing. 
But instead of being aimed at security professionals it is aimed at web application developers and functional testers.

Why do developers need to know about penetration testing?
Some web developers are very security aware. This blog is not really for them :)

However in my experience many developers (and from here on in read 'developers' to include functional testers) do not know enough about web application security.

And I don't think that its possible to build a secure web application without knowing how the bad guys will try to compromise it!

There are many ways to learn how to build secure web applications, but I think that a basic understanding of pen testing can really bring home to developers how easy it can be to compromise their applications.
This is not to say that other training and tools such as static source code analysis should not be used.
Defense in depth should be applied to the development process as well as the applications being developed. 

Shouldn't pen testing be left to the professionals?
A basic understanding of pen testing techniques is no substitute for having a security expert pen test your app.

However by learning about pen testing you will become more security aware and hopefully will avoid including some of the basic vulnerabilities in your apps. 
Which means the professional pen testers can concentrate on the more obscure (and interesting) vulnerabilities.

No comments:

Post a Comment