diff --git a/src/Umbraco.Abstractions/Security/IWebSecurity.cs b/src/Umbraco.Abstractions/Security/IWebSecurity.cs
new file mode 100644
index 0000000000..cc268b87b4
--- /dev/null
+++ b/src/Umbraco.Abstractions/Security/IWebSecurity.cs
@@ -0,0 +1,92 @@
+using Umbraco.Core;
+using Umbraco.Core.Models.Membership;
+
+namespace Umbraco.Web.Security
+{
+    public interface IWebSecurity
+    {
+        /// <summary>
+        /// Gets the current user.
+        /// </summary>
+        /// <value>The current user.</value>
+        IUser CurrentUser { get; }
+
+        /// <summary>
+        /// Logs a user in.
+        /// </summary>
+        /// <param name="userId">The user Id</param>
+        /// <returns>returns the number of seconds until their session times out</returns>
+        double PerformLogin(int userId);
+
+        /// <summary>
+        /// Clears the current login for the currently logged in user
+        /// </summary>
+        void ClearCurrentLogin();
+
+        /// <summary>
+        /// Validates credentials for a back office user
+        /// </summary>
+        /// <param name="username"></param>
+        /// <param name="password"></param>
+        /// <returns></returns>
+        /// <remarks>
+        /// This uses ASP.NET Identity to perform the validation
+        /// </remarks>
+        bool ValidateBackOfficeCredentials(string username, string password);
+
+        /// <summary>
+        /// Gets the current user's id.
+        /// </summary>
+        /// <returns></returns>
+        Attempt<int> GetUserId();
+
+        /// <summary>
+        /// Returns the current user's unique session id - used to mitigate csrf attacks or any other reason to validate a request
+        /// </summary>
+        /// <returns></returns>
+        string GetSessionId();
+
+        /// <summary>
+        /// Validates the currently logged in user and ensures they are not timed out
+        /// </summary>
+        /// <returns></returns>
+        bool ValidateCurrentUser();
+
+        /// <summary>
+        /// Validates the current user assigned to the request and ensures the stored user data is valid
+        /// </summary>
+        /// <param name="throwExceptions">set to true if you want exceptions to be thrown if failed</param>
+        /// <param name="requiresApproval">If true requires that the user is approved to be validated</param>
+        /// <returns></returns>
+        ValidateRequestAttempt ValidateCurrentUser(bool throwExceptions, bool requiresApproval = true);
+
+        /// <summary>
+        /// Authorizes the full request, checks for SSL and validates the current user
+        /// </summary>
+        /// <param name="throwExceptions">set to true if you want exceptions to be thrown if failed</param>
+        /// <returns></returns>
+        ValidateRequestAttempt AuthorizeRequest(bool throwExceptions = false);
+
+        /// <summary>
+        /// Checks if the specified user as access to the app
+        /// </summary>
+        /// <param name="section"></param>
+        /// <param name="user"></param>
+        /// <returns></returns>
+        bool UserHasSectionAccess(string section, IUser user);
+
+        /// <summary>
+        /// Checks if the specified user by username as access to the app
+        /// </summary>
+        /// <param name="section"></param>
+        /// <param name="username"></param>
+        /// <returns></returns>
+        bool UserHasSectionAccess(string section, string username);
+
+        /// <summary>
+        /// Ensures that a back office user is logged in
+        /// </summary>
+        /// <returns></returns>
+        bool IsAuthenticated();
+    }
+}
diff --git a/src/Umbraco.Web/Security/ValidateRequestAttempt.cs b/src/Umbraco.Abstractions/Security/ValidateRequestAttempt.cs
similarity index 100%
rename from src/Umbraco.Web/Security/ValidateRequestAttempt.cs
rename to src/Umbraco.Abstractions/Security/ValidateRequestAttempt.cs
diff --git a/src/Umbraco.Tests/TestHelpers/ControllerTesting/TestControllerActivatorBase.cs b/src/Umbraco.Tests/TestHelpers/ControllerTesting/TestControllerActivatorBase.cs
index c0279e1204..e7abec5ee2 100644
--- a/src/Umbraco.Tests/TestHelpers/ControllerTesting/TestControllerActivatorBase.cs
+++ b/src/Umbraco.Tests/TestHelpers/ControllerTesting/TestControllerActivatorBase.cs
@@ -101,7 +101,7 @@ namespace Umbraco.Tests.TestHelpers.ControllerTesting
 
             var backofficeIdentity = (UmbracoBackOfficeIdentity) owinContext.Authentication.User.Identity;
 
-            var webSecurity = new Mock<WebSecurity>(null, null, globalSettings);
+            var webSecurity = new Mock<IWebSecurity>();
 
             //mock CurrentUser
             var groups = new List<ReadOnlyUserGroup>();
diff --git a/src/Umbraco.Web/Editors/Filters/ContentSaveValidationAttribute.cs b/src/Umbraco.Web/Editors/Filters/ContentSaveValidationAttribute.cs
index b94d4d43bc..de84d80074 100644
--- a/src/Umbraco.Web/Editors/Filters/ContentSaveValidationAttribute.cs
+++ b/src/Umbraco.Web/Editors/Filters/ContentSaveValidationAttribute.cs
@@ -83,7 +83,7 @@ namespace Umbraco.Web.Editors.Filters
         /// <param name="actionContext"></param>
         /// <param name="contentItem"></param>
         /// <param name="webSecurity"></param>
-        private bool ValidateUserAccess(ContentItemSave contentItem, HttpActionContext actionContext, WebSecurity webSecurity)
+        private bool ValidateUserAccess(ContentItemSave contentItem, HttpActionContext actionContext, IWebSecurity webSecurity)
         {
 
             //We now need to validate that the user is allowed to be doing what they are doing.
diff --git a/src/Umbraco.Web/IUmbracoContext.cs b/src/Umbraco.Web/IUmbracoContext.cs
index 8a624a8132..a37c70dfc7 100644
--- a/src/Umbraco.Web/IUmbracoContext.cs
+++ b/src/Umbraco.Web/IUmbracoContext.cs
@@ -24,7 +24,7 @@ namespace Umbraco.Web
         /// <summary>
         /// Gets the WebSecurity class
         /// </summary>
-        WebSecurity Security { get; }
+        IWebSecurity Security { get; }
 
         /// <summary>
         /// Gets the uri that is handled by ASP.NET after server-side rewriting took place.
diff --git a/src/Umbraco.Web/Mvc/UmbracoController.cs b/src/Umbraco.Web/Mvc/UmbracoController.cs
index 3056a9837a..68605a9086 100644
--- a/src/Umbraco.Web/Mvc/UmbracoController.cs
+++ b/src/Umbraco.Web/Mvc/UmbracoController.cs
@@ -70,7 +70,7 @@ namespace Umbraco.Web.Mvc
         /// <summary>
         /// Gets the web security helper.
         /// </summary>
-        public virtual WebSecurity Security => UmbracoContext.Security;
+        public virtual IWebSecurity Security => UmbracoContext.Security;
 
         protected UmbracoController()
             : this(
diff --git a/src/Umbraco.Web/Security/WebSecurity.cs b/src/Umbraco.Web/Security/WebSecurity.cs
index 5dc6551b90..3b19fd7eb2 100644
--- a/src/Umbraco.Web/Security/WebSecurity.cs
+++ b/src/Umbraco.Web/Security/WebSecurity.cs
@@ -19,7 +19,7 @@ namespace Umbraco.Web.Security
     /// <summary>
     /// A utility class used for dealing with USER security in Umbraco
     /// </summary>
-    public class WebSecurity
+    public class WebSecurity : IWebSecurity
     {
         private readonly HttpContextBase _httpContext;
         private readonly IUserService _userService;
@@ -215,7 +215,7 @@ namespace Umbraco.Web.Security
         /// </summary>
         /// <param name="throwExceptions">set to true if you want exceptions to be thrown if failed</param>
         /// <returns></returns>
-        internal ValidateRequestAttempt AuthorizeRequest(bool throwExceptions = false)
+        public ValidateRequestAttempt AuthorizeRequest(bool throwExceptions = false)
         {
             // check for secure connection
             if (_globalSettings.UseHttps && _httpContext.Request.IsSecureConnection == false)
@@ -232,7 +232,7 @@ namespace Umbraco.Web.Security
         /// <param name="section"></param>
         /// <param name="user"></param>
         /// <returns></returns>
-        internal virtual bool UserHasSectionAccess(string section, IUser user)
+        public virtual bool UserHasSectionAccess(string section, IUser user)
         {
             return user.HasSectionAccess(section);
         }
@@ -243,7 +243,7 @@ namespace Umbraco.Web.Security
         /// <param name="section"></param>
         /// <param name="username"></param>
         /// <returns></returns>
-        internal bool UserHasSectionAccess(string section, string username)
+        public bool UserHasSectionAccess(string section, string username)
         {
             var user = _userService.GetByUsername(username);
             if (user == null)
diff --git a/src/Umbraco.Web/Umbraco.Web.csproj b/src/Umbraco.Web/Umbraco.Web.csproj
index 6cbb4afa9a..5c226b257e 100755
--- a/src/Umbraco.Web/Umbraco.Web.csproj
+++ b/src/Umbraco.Web/Umbraco.Web.csproj
@@ -597,7 +597,6 @@
     <Compile Include="Mvc\IRenderMvcController.cs" />
     <Compile Include="Mvc\SurfaceRouteHandler.cs" />
     <Compile Include="Search\ExamineIndexModel.cs" />
-    <Compile Include="Security\ValidateRequestAttempt.cs" />
     <Compile Include="Security\WebSecurity.cs" />
     <Compile Include="JavaScript\Resources.Designer.cs">
       <AutoGen>True</AutoGen>
diff --git a/src/Umbraco.Web/UmbracoContext.cs b/src/Umbraco.Web/UmbracoContext.cs
index 374b78c333..5f2f43d61f 100644
--- a/src/Umbraco.Web/UmbracoContext.cs
+++ b/src/Umbraco.Web/UmbracoContext.cs
@@ -30,7 +30,7 @@ namespace Umbraco.Web
         // warn: does *not* manage setting any IUmbracoContextAccessor
         internal UmbracoContext(HttpContextBase httpContext,
             IPublishedSnapshotService publishedSnapshotService,
-            WebSecurity webSecurity,
+            IWebSecurity webSecurity,
             IUmbracoSettingsSection umbracoSettings,
             IEnumerable<IUrlProvider> urlProviders,
             IEnumerable<IMediaUrlProvider> mediaUrlProviders,
@@ -93,7 +93,7 @@ namespace Umbraco.Web
         /// <summary>
         /// Gets the WebSecurity class
         /// </summary>
-        public WebSecurity Security { get; }
+        public IWebSecurity Security { get; }
 
         /// <summary>
         /// Gets the uri that is handled by ASP.NET after server-side rewriting took place.
diff --git a/src/Umbraco.Web/UmbracoHttpHandler.cs b/src/Umbraco.Web/UmbracoHttpHandler.cs
index 447bdde430..27a3255edd 100644
--- a/src/Umbraco.Web/UmbracoHttpHandler.cs
+++ b/src/Umbraco.Web/UmbracoHttpHandler.cs
@@ -58,7 +58,7 @@ namespace Umbraco.Web
         /// <summary>
         /// Gets the web security helper.
         /// </summary>
-        public WebSecurity Security => UmbracoContextAccessor.UmbracoContext.Security;
+        public IWebSecurity Security => UmbracoContextAccessor.UmbracoContext.Security;
 
         /// <summary>
         /// Gets the Url helper.
diff --git a/src/Umbraco.Web/UmbracoWebService.cs b/src/Umbraco.Web/UmbracoWebService.cs
index ed78314560..3b35dbd6c7 100644
--- a/src/Umbraco.Web/UmbracoWebService.cs
+++ b/src/Umbraco.Web/UmbracoWebService.cs
@@ -74,7 +74,7 @@ namespace Umbraco.Web
         /// <summary>
         /// Gets the web security helper.
         /// </summary>
-        public WebSecurity Security => UmbracoContext.Security;
+        public IWebSecurity Security => UmbracoContext.Security;
 
         /// <summary>
         /// Gets the Url helper.
diff --git a/src/Umbraco.Web/WebApi/UmbracoApiControllerBase.cs b/src/Umbraco.Web/WebApi/UmbracoApiControllerBase.cs
index 9b35416def..4ac773e8c8 100644
--- a/src/Umbraco.Web/WebApi/UmbracoApiControllerBase.cs
+++ b/src/Umbraco.Web/WebApi/UmbracoApiControllerBase.cs
@@ -131,7 +131,7 @@ namespace Umbraco.Web.WebApi
         /// <summary>
         /// Gets the web security helper.
         /// </summary>
-        public WebSecurity Security => UmbracoContext.Security;
+        public IWebSecurity Security => UmbracoContext.Security;
 
         /// <summary>
         /// Tries to get the current HttpContext.