One of the hardest things to do is build out automated test cases for testing the security of your web server. Building out test harnesses is a pain to do, but something that needs to be done not just to stress your web server, but to check on conditionals and security flaws or even not called API strings within the confines of the web server.
Selenium is a new Firefox plug-in that will help you build out test cases by running through the test case in your browser, and then having the plug in record your actions for dumping into a test case later on. The good part is that as you do your security scanning, you can use this product to build out a number of repeatable test harnesses looking for common security flaws in your web app. There is an excellent Google Education channel talk on this right here.
With Selenium now a Firefox plug-in, this will automate your test harnesses in the longer run with the more common body of tests that you do and how they build up in the repository that you use for common tests. There are tests that you should always run, by adding common security tests, for cross site scripting, for CSRF, for bad API calls, bad limit calls, calls that are in the API but never used in the actual web page, you can automated much of your security testing, and move the common tests off to the testing group.
This is a very much so needed process and tool for security engineers who are doing web page hacking. Worth checking out, much of the Selenium site is not functioning today as they are rebuilding it, but there are tons of good videos, good tips on how to use the tool, and a great two minute overview movie of the product.
About the Author:
Dan Morrill has been in the information security field for 18 years, both civilian and military, and is currently working on his Doctor of Management. Dan shares his insights on the important security issues of today through his blog, Managing Intellectual Property & IT Security, and is an active participant in the ITtoolbox blogging community.