Tester Question: What is a cross-site request forgery attack? How do I test our website to see if it is vulnerable to this attack?

Tester Question: What is Fuzz Testing? How can I use it to detect security flaws in my software?

Tester Question: What exactly is a Format String attack? How can I test my application for Format String vulnerabilities?

Tester Question: In your last column you mentioned threat modeling as a key activity to improve security testing. My team doesn’t do threat modeling. Is there something I can do to get the benefits of threat modeling if my team hasn’t created one?

Tester Question: My team has decided to get serious about security in the next release of our product. We've talked about penetration testing and some developers want to perform security code reviews. I've heard about threat modeling but don't really know how it can help us. What steps should we take to improve our chances of releasing a secure application? What should I be focused on as a tester?