[WEB SECURITY] Great article outlining a core issue with many in

robert at webappsec.org robert at webappsec.org
Tue Feb 22 13:20:54 EST 2011


> *Proposed Solution =96 Open Test Data*
> Security people tell developers to "do input validation". Input validation
> is no news to developers. The problem is defining the data model and testin=
> g
> the input validation. We can do something important here =96 building
> opentestdata.org. I own the domain and dream about the following beautiful
> community effort:
>    You go to the site and can either "submit test data" or "download test
> data". On the submission page you can anonymously enter a e.g. Portuguese
> postal address, an Indian human name, a Swedish postal/zip code ... or 100
> SQL injection strings. The effort is almost zero.
>    On the download page you choose your format and download in context. "We
> have European customers so we want European human names, postal addresses,
> and phone numbers". Developers will love it. And that's where we can start
> promoting security testing!

I tried to start something similar at www.qasec.com a couple years ago but ended up removing
it as I couldn't dedicate the attention that it deserved. I think that having a repository
of qa test cases (with and without a security focus) is something that is sorely needed and would
go a long way. As is the case with any open project finding a dedicated/qualified leader is the most
difficult aspect. If you're saying that you'll lead this effort then I'd be willing to contribute some
sample plans.

Regards,
- Robert
http://www.cgisecurity.com/
http://www.webappsec.org/
http://www.qasec.com/






More information about the websecurity mailing list