I gave a talk about web application security testing last year and started to write up my notes, but somehow I never quite finished them. I’m unlikely to do so in this format but thought I’d at least post the notes as they stand. Things have changed in the past year: I have a better handle on threat modeling (and Microsoft has released a couple new iterations), we’ve seen great new tools like Firebug released, the Build Security In portal was released (although I still think it’s of more interest to developers than architects, which is an okay thing), there’s been more work published on abuse/misuse cases, a new OWASP Guide was unleashed…

So on the off chance they are of value, here they are: notes for Web Application Security Testing talk.