Dear Master Monks,
What techiques and tools do you employ when testing your wep applications for security?

I am currently researching techniques/tests for securing an application we are working on (which I think can be applied to any language, and not just Perl) and I think I have found the Top Ten most common methods of breaching security, as listed by the Open Web Application Security Project, namely:

  1. Unvalidated Input
  2. Broken Access Control
  3. Broken Authentication and Session Management
  4. Cross Site Scripting (XSS) Flaws
  5. Buffer Overflows
  6. Injection Flaws
  7. Improper Error Handling
  8. Insecure Storage
  9. Denial of Service
  10. Insecure Configuration Management

A few of my random thoughts:

There are a few techniques listed in An Introduction to Security Testing with Open Source Tools, but I am pretty sure most of you must have been involved with doing this at some stage, and could give me some pointers?

So, my parting question is, "Where do I start?"


Walking the road to enlightenment... I found a penguin and a camel on the way.....
Fancy a Just ask!!!