Thank you.

Your uploaded files are waiting for moderation.

<< Go Back

You need to register or login to access this content.

What? Why? Who? And How? Of Application Security Testing

Reading Time: 1 minute

Passive testing resulted in several of my internet-facing projects receiving little regard to security other than the traditional access control matrix. Upon deciding to take a more assertive approach to security testing I found flaws in our testing, development, design and requirements capture processes and began to challenge the situation. I found allies in the security team who admitted they could only cope with filtering out some attacks at the network perimeter. If attacks got inside the perimeter the battle was probably lost. The realization that application security was substantially different to transport layer security led to a firm belief that project teams need to become more self-reliant in building and maintaining security throughout the entire software lifecycle.

With no budget or management approval I set about learning and applying application security to every project assigned to me. It wasn’t easy, but started getting positive results. I set my own scope and wrote a set of app-sec testing procedures, then a set of development guidelines and distributed them to everyone involved in project development or maintenance. Gradually the ideas gained acceptance and eventually received full management backing. This is the story of how that came about.

Key Takeaways:

  • Gain an insight to application security.
  • Understand the weaknesses of conventional security solutions.
  • Begin to include practical security in your projects.


Editor's Image

Declan O'Riordan

I had never spoken in public before 2014, yet set myself the goals of being accepted as a speaker for EuroSTAR, winning the prize for best conference paper, and having my talk voted the ‘do-over session’ that attendees would most like to have repeated. All these goals were achieved, and have led to my joining the 2015 EuroSTAR programme committee. My long journey to these attainments is described in the eBook ‘What? Why? Who? And How? Of Application Security’.

Twitter: @DeclanTestingIT

7 comments to What? Why? Who? And How? Of Application Security Testing

  1. Thomas Ponnet says:

    Hello and thanks for sharing the article.
    The answer to the question “Do we have a problem here?” is most definitely “Yes!”
    After registering, picking the email out of the Spam folder and clicking the approve link a new page opened saying something along the lines of “the account is now approved”.
    Only login is still not possible with the message

    “ERROR: Your account is still pending approval.”

    So either the account is still pending approval and the message was wrong or something else did not work.
    Clicking the link a second time results in the message “Invalid activation key” which makes sense as it was used once before but is not helpful for the user.
    Now, reading the block of text next to the activate button (which I didn’t do before as I only read the highlighted message that my account is activated) it says that the account will now need to be reviewed by the admin team. OK, that explains it, but..
    I learned from an ecommerce company that if you want new customers you do everything to get them in as easily as possible, otherwise you won’t get paid. Protecting from spam is a good thing but when the hurdles are so high that users turn around and go I’d suggest reviewing the process. Good thing I’m a sw tester and like a challenge, otherwise I’d be gone as well 🙂

    • Ronan says:

      Thomas. Thanks for the feedback. We really appreciate it. We are currently in the process of reviewing our sign-up process to make it as accessible as possible including amending the sign-up form itself.

      It is hard to get the right balance between protecting the community from SPAM and making access/signing up as easy as possible. We are working on getting that balance better.

Leave a Reply

Skip to toolbar