If you like attacking web apps, you'll want to check out the new, interactive book "The Penetration Tester's Guide to Web Applications."
Don't let the sleeper title fool you. This book is actually more like a training course that makes learning fun. It's filled with relatable graphics, real-world examples and links to hands-on labs for testing hacks against the OWASP Top 10 vulnerabilities that are exploited on web apps.
"My book takes a close look at how to discover and identify each of these OWASP top ten vulnerabilities and includes real-world experiences from corporate environments," explains Serge Borso, author of the book and a SANS community instructor.
At the end of each chapter, readers can follow the link to a hands-on lab. In one chapter, for example, they can use the API key (provided) and launch a SQL injection. In another chapter, readers can access a completely different application to launch cross-site request forgery (CSRF) and account numeration attacks.
As more organizations move their business into the cloud, the need for aggressive application testing like this holds even greater importance.
"The ability to defend web apps is as relevant today as it was ten years ago," Borso adds. "Just look at the Capital One breach, where the Amazon S3 storage container for Capital One was hacked by a former employee. We actually cover that issue in our book, attacking S3 buckets, with a dedicated section in the online lab."
Even before this week's announcement of the Capital One breach, application security/secure DevOps has been heating up. The topic is important enough to make the keynote at the Black Hat Briefings next week. Respected researcher Dino Dai Zovi, security engineer at Square, titled his keynote "Every Security Team Is a Software Team Now."
Web apps are considered the most at risk and the apps most often involved in breaches, according to our most recent SANS survey on application security. In the survey, respondents said they are also challenged by finding the skills they need to secure their apps.
Writing this book seemed important to help new folks coming into the pen testing profession, Borso says. To make his point, he cites nearly 16,000 LinkedIn views in the week that he announced his book.
"My book focuses narrowly on penetration testing, while conveying the importance of acting professionally," he surmises. "It also focuses on integrating this level of pen testing within an enterprise security program."