_As some of you may know, I've spent the last two years pursuing a Master Degree at DePaul University. As I near the end of my program, I decided to challenge myself by taking a class in an area I have limited hands on exposure to-Software Security Assessment. Sure, I've read about XSS, SQL Injections, Session Highjacking, Stealing Cookies but I've never actually sat down to get a complete hands on understanding of how these exploits work. Perhaps I was a bit apprehensive of this area as it requires programming skills that I lack. Using my limited knowledge of Python as encouragement, I decided to take this challenge head on!


The class that I'm taking focuses on how to approach a software security assessment and perform the common and not so common assessments, including:

* Spidering the application which is basically a download of all the application pages and code.
* Assessing client side vulnerabilities (XSS, Session Highjacking, Stealing Cookies, XML/SOAP injection,  Rouge File upload that can execute code)
* Assessing server side vulnerabilities  (SQL Injection, LDAP Injection, Directory Traversal, Application Authorization)

I've learned on how to use proxy tools such as the Burp Suite which allow an assessor to view all the code and parameters that are being passed as the user interacts with the application. I've performed my first manual spidering to assess all the inputs and outputs of an application and will soon be performing a full security assessment of a application from SourceForge.