Even though this book is from 2004, the method it describes for approaching security testing is sound. The basic method is:
- Create a Threat Profile
- Idendity Targets
- Identify Entry/Exit Points
- Build Models based on this data
- Associate Risks with each Target
- Determine how these risks will be tested
- Perform tests and report results
- Repeat
This book is an easy read and there is little technical knowledge that is required to be able to understand the concepts presented, which allows it to be technology-agnostic. However, you will need a bit more technical skill to be able to perform some of the analysis and testing that is described. The examples are helpful and provide a good guide on how do document the models.
I would recommend this book to anyone that is responsible for building, testing or responsible for the security of an application.
No comments:
Post a Comment