Tommy Webber: Go for the mouth, then, the throat, his vulnerable spots!
Jason Nesmith: It’s a rock! It doesn’t have any vulnerable spots!
One of the more difficult aspects of testing system-level attributes such as security is the sheer inability to exhaustively complete the task. In the case of security, we provide evidence about the lack of vulnerabilities. Just as you cannot prove the non-existence of bugs, exhaustive security testing is both theoretically and practically impossible.
One advantage you have over an attacker is that you don’t have to fully exploit a defect in order to demonstrate its existence and fix it. Often just observing a potential vulnerability is enough to prompt a fix. Spotting the warning signs is the first step towards securing an application. If your tests do not reveal signs of trouble, you are that much more confident in your software’s security. So while many of these recipes may seem simplistic, they form a basis for noticing warning signs, if not actual vulnerabilities.
Fixing the application’s behavior is more effective than simply preventing pre-canned attacks. For instance, many penetration testers will cause a standard alert box to show up on a web page and declare a job well done—the website can be hacked! This causes confusion among developers and product managers. They ask: who cares about a stupid pop-up alert box? The answer is that the alert box is just a hint—a warning sign that a website is vulnerable ...