Testing security “into” the Web service application:
Common “end-of-cycle” security testing can detect some standard application security vulnerabilities, however…
Approaching security merely as a “bug finding” exercise is inefficient and costly
It is impossible to cover all possible execution paths with testing!
Audits Assumptions GAP Need to be able to detect vulnerabilities as early as possible. Develop Test Monitor Architect
Why More Testing Does Not Help ? String username = request.getParameter("USER"); String password = request.getParameter("PASSWORD"); An attacker passes ' or 1=1 # for usersname SELECT user_id FROM Users WHERE username=' ' or 1=1 # ' AND password= ‘foo’ String query = “SELECT user_id FROM Users WHERE username=‘” + username + “’ AND password=‘” + password + “’”; Statement.execute(query);