5. Development Methodologies
• Agile with Scrum
• Capability Maturity Mode Integrated
– 1 (Waterfall)
– 3 (Iterative)
– 5 (Spiral)
• Extreme Programming (XP)
• Object-Oriented Development
• Pair Programming With Iterative
• Proofs of Correctness with Waterfall
• Rational Unified Process (RUP)
• Team Software Process (TSP)
List from http://www.infoq.com/articles/evaluating-agile-software-methodologies
9. The OWASP Top Ten (Web)
• A1 – Injection
• A2 – Broken Authentication and Session Management
• A3 – Cross-Site Scripting (XSS)
• A4 – Insecure Direct Object References
• A5 – Security Misconfiguration
• A6 – Sensitive Data Exposure
• A7 – Missing Function Level Access Control
• A8 – Cross-Site Request Forgery (CSRF)
• A9 – Using Components with Known Vulnerabilities
• A10 – Unvalidated Redirects and Forwards
10. The OWASP Top Ten (Mobile)
• M1 – Insecure Data Storage
• M2 – Weak Server Side Controls
• M3 – Insufficient Transport Layer Protection
• M4 – Client Side Injection
• M5 – Poor Authorization and Authentication
• M6 – Improper Session Handling
• M7 – Security Decisions Via Untrusted Inputs
• M8 – Side Channel Data Leakage
• M9 – Broken Cryptography
• M10 – Sensitive Information Disclosure
11. Prep Checklist
• What development methodologies do we follow?
• What programming languages do we use?
• What risk/security frameworks do we follow?
• What third-party libraries do we use?
• What stages in the development process require
approval from the security team?
18. The SQA Process
• Initiation
• Planning
• Tracking
• Training
• Reviews
• Issue Resolution
• Testing
• Audit
• Process Improvement
List from http://www.verndale.com/Our-Thinking/9-Steps-of-the-SQA-Process.aspx
19. Positive and Negative Testing
• Positive Test Cases
– Does the app do what it’s supposed to
do?
• Negative Test Cases
– Does the app do anything it’s not
supposed to do?
20. Top 10 Negative Test Cases
• Embedded Single Quote
• Required Data Entry
• Field Type Test
• Field Size Test
• Numeric Bounds Test
• Numeric Limits Test
• Date Bounds Test
• Date Validity
• Web Session Testing
• Performance Changes
List from http://www.sqatester.com/methodology/Top10NegativeTestCases.htm
23. Application Scanning
• Automated scanners interact with an
app like an actual user
• Production vs. Non-Production
• Authenticated vs. Non-Authenticated
• Don’t forget the app infrastructure
– Host Systems
– Web Servers
– Backend Databases
24. Manual App Analysis
• OWASP Testing Guide (v3)
– Information Gathering
– Configuration Management Testing
– Authentication Testing
– Session Management Testing
– Authorization Testing
– Business Logic Testing
– Data Validation Testing
– Testing for Denial of Service
– Web Services Testing
– AJAX Testing
• Version 4 in development (some material available)
25. Scanning vs. Pen Testing
• Scanning
– Automated
– Look for signature-based flaws
– Some heuristics
• Web App Pen Testing
– Unconventional thinking
– Test application logic
26. Web App Security Scanners
• Acunetix Web Vulnerability Scanner (WVS)
• AppScan
• Arachni
• Burp Suite
• Grendel-Scan
• QualysGuard Web Application Scanner (WAS)
• SamuraiWTF
• Veracode Web Application Security (WAS)
• W3AF
• WebInspect
• WebSecurify
29. SQA Metrics (cont’d)
• OWASP
– Cross-site scripting tests run
– SQL injection tests run
– User input tests run
– Cookie or credentials manipulation testing has been performed
– Denial of Service scenarios have been checked
• Vulnerabilities detected vs. vulnerabilities remediated
List from https://www.owasp.org/index.php/Software_Quality_Assurance#Metrics
30. Developer Training
• OWASP Resources
– Top 10 Application Security Risks
– Top 10 Mobile Security Risks
– WebGoat Project (Java)
– Mutillidae (PHP)
– Bricks (PHP and MySQL)
• SANS Courses
– SEC542: Web App Penetration Testing and Ethical Hacking
– DEV522: Defending Web Applications Security Essentials
– DEV541: Secure Coding in Java/JEE
– DEV544: Secure Coding in .NET
• Web Application Security Consortium