SlideShare una empresa de Scribd logo

Security Testing for Testing Professionals

T
TechWell

Today’s software applications are often security-critical, making security testing an essential part of a software quality program. Unfortunately, most testers have not been taught how to effectively test the security of the software applications they validate. Join Jeff Payne as he shares what you need to know to integrate effective security testing into your everyday software testing activities. Learn how software vulnerabilities are introduced into code and exploited by hackers. Discover how to define and validate security requirements. Explore effective test techniques for assuring that common security features are tested. Learn about the most common security vulnerabilities and how to identify key security risks within applications and use testing to mitigate them. Understand how to security test applications—both web- and GUI-based—during the software development process. Review examples of how common security testing tools work and assist the security testing process. Take home valuable tools and techniques for effectively testing the security of your applications going forward.

Tecnología
1 de 30
Descargar para leer sin conexión
TE AM Tutorial 4/30/13 8:30AM Security Testing for Testing Professionals Presented by: Jeff Payne Coveros, Inc. Brought to you by: 340 Corporate Way, Suite 300, Orange Park, FL 32073 888-268-8770 ∙ 904-278-0524 ∙ sqeinfo@sqe.com ∙ www.sqe.com
Jeff Payne Jeff Payne is CEO and founder of Coveros, Inc., a software company that builds secure software applications using agile methods. Since its inception in 2008, Coveros has become a market leader in secure agile principles and has been recognized by Inc. magazine as one of the fastest growing private US companies. Prior to founding Coveros, Jeff was chairman of the board, CEO, and cofounder of Cigital, Inc., a market leader in software security consulting. Jeff has published more than thirty papers on software development and testing, and testified before Congress on issues of national importance, including intellectual property rights, cyberterrorism, and software quality.
9/5/2012 Security Testing for Test Professionals © Copyright 2011 Coveros, Inc.. All rights reserved. 1 About Coveros Coveros helps organizations accelerate the delivery of secure, reliable software Our consulting services: – – – – Agile software development Application security Software quality assurance Software process improvement Corporate Partners Our key markets: – – – – Financial services Healthcare Defense Critical Infrastructure © Copyright 2011 Coveros, Inc.. All rights reserved. 2 1
9/5/2012 Agenda Introduction to Security Testing Security Testing Framework Appropriate Security Testing Tools Wrap up © Copyright 2011 Coveros, Inc.. All rights reserved. 3 Trainer Jeffery Payne Jeffery Payne is CEO and founder of Coveros, Inc., a software company that helps organizations accelerate the delivery of secure, reliable software. Coveros uses agile development methods and a proven software assurance framework to build security and quality into software from the ground up. Prior to founding Coveros, Jeffery was Chairman of the Board, CEO, and co-founder of Cigital, Inc. Under his direction, Cigital became a leader in software security and software quality solutions, helping clients mitigate the risk of software failure. Jeffery is a recognized software expert and popular speaker at both business and technology conferences on a variety of software quality, security, and agile development topics. He has also testified before Congress on issues of national importance, including intellectual property rights, cyber-terrorism, Software research funding, and software quality. © Copyright 2011 Coveros, Inc.. All rights reserved. 4 2
9/5/2012 Expectations What are your expectations for this tutorial? What do you wish to learn? What questions do you want answered? © Copyright 2011 Coveros, Inc.. All rights reserved. 5 Introduction to Security Testing © Copyright 2011 Coveros, Inc.. All rights reserved. 6 3
9/5/2012 What is Information Security? When you hear the term “Information Security” and “Security Testing”: What do you think they mean? What comes to mine? © Copyright 2011 Coveros, Inc.. All rights reserved. 7 What is Information Security? Definition of Information Security Information Security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. The key concepts of Information Security include: – – – – – Confidentiality Integrity Availability Authenticity Non-Repudiation © Copyright 2011 Coveros, Inc.. All rights reserved. 8 4
9/5/2012 The Software Security Problem Our IT systems are not castles any longer! © Copyright 2011 Coveros, Inc.. All rights reserved. 9 Understanding Risk How to Define Security Risk in Software Common Security Nomenclature – Risk: a possible future event which, if it occurs, will lead to an undesirable outcome – Threat: A potential cause of an undesirable outcome – Vulnerability: Any weakness, administrative process, or act of physical exposure that makes an information asset susceptible to exploit by a threat. – An exploit is a piece of software, a chunk of data, or sequence of commands that takes advantage of a vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic. © Copyright 2011 Coveros, Inc.. All rights reserved. 10 5
9/5/2012 Security Testing What? How? Security Testing is testing used to determine whether an information system protects its data from its threats. Security Testing is not a silver bullet for your enterprise security. Security Testing doesn’t fix your security, it only makes you aware of it. Security must be built into your software A sound Security Testing process performs testing activities: – – – – – Before development begins During requirements definition and software design During implementation During deployment During maintenance and operations © Copyright 2011 Coveros, Inc.. All rights reserved. 11 Security Testing Framework © Copyright 2011 Coveros, Inc.. All rights reserved. 12 6
9/5/2012 Security testing before development begins Overview “Testing” before development begins is really a QA function to assess the readiness of the organization to build secure software applications. Always remember that security testing evaluates the security posture of your applications, it does not build security in. Irrespective of your findings, do not become the “quality police”. © Copyright 2011 Coveros, Inc.. All rights reserved. 13 Security testing before development begins Review Security Policies and Standards Understand the policies and standards that have been adopted by the organization and their relationship to software security Examples: – – – – Privacy policies regarding your customer data Service level agreements with clients IT security standards you must adhere to PCI compliance activities for credit card transactions Your goal is to understand these policies and standards to the level that will allow you to validate security requirements and effectively test the end product against them © Copyright 2011 Coveros, Inc.. All rights reserved. 14 7
9/5/2012 Security testing before development begins Review Secure Software Development Lifecycle If the security of your software is an enterprise concern, the development team should be adhering to a defined secure software development lifecycle model. – Defines development activities that builds security in – Defines security testing activities performed by appropriate parties (development, testing, security org, operations, etc.) Common secure software development models – Microsoft’s Secure Development Lifecycle (SDL) – Coveros SecureAgile process – There are others as well Secure software standards – Secure coding standard © Copyright 2011 Coveros, Inc.. All rights reserved. 15 Security testing during definition and design Overview Testing activities during requirements definition and software design focus on assuring that security has been effectively integrated into software requirements and the overall architecture and design of the product Typical activities include: – – – – Security requirements development/validation Architecture and design reviews Threat modeling Test strategy and planning © Copyright 2011 Coveros, Inc.. All rights reserved. 16 8
9/5/2012 Security testing during definition and design What is a Security Requirement? Security Requirements describe functional and nonfunctional requirements that need to be satisfied in order to achieve the security attributes of an IT system or application. What does that mean? Security Requirements are formulated at different levels of abstraction and provide how the system should act, and what should not happen. The major difference you may notice is the use of “negative requirements”. We stop thinking about what the application should do and start thinking about how we can get it to do something it was never intended to. © Copyright 2011 Coveros, Inc.. All rights reserved. 17 Functional Requirements Your Standard Definition Functional Requirements: These are statements of services the system should provide, how the system should react to particular inputs and how the system should behave in particular situations. In some cases, the functional requirements may also have explicitly state what the system should not do. Where does the Security fit in? Each Functional Security Requirement utilizes uses case and misuse cases. These requirements reflect potential threats to the system. © Copyright 2011 Coveros, Inc.. All rights reserved. 18 9
9/5/2012 Exercise Functional Security Requirements Break into teams of 2-3 people. Each team will identify potential misuse cases with the following security requirement, if any exist. If a misuse case is identified, write a replacement or additional functional requirement(s). – It would be best to make sure no misuse cases can be derived from your new requirement(s). Exercise Time Limit: 15 Minutes © Copyright 2011 Coveros, Inc.. All rights reserved. 19 Exercise Functional Security Requirement SecureChat Authentication Requirements – When a user attempts to authenticate with a valid username and an invalid password, the application shall not authenticate the user and return them to the authentication page. – The system must alert the user that their attempt to authenticate has failed due to an incorrect password (“Invalid Password”) utilizing the standard error text formatting. – When a user attempts to authenticate with a invalid username, the application shall not authenticate the user and return them to the authentication page. – The system must alert the user that their attempt to authenticate has failed due to an incorrect username (“Invalid Username”) utilizing the standard error text formatting. – What a user attempts to authenticate using a username and a valid password, the application shall authenticate the user and redirect them to the homepage. © Copyright 2011 Coveros, Inc.. All rights reserved. 20 10
9/5/2012 Exercise Functional Security Requirements Discussion How could an attacker attempt to thwart the system? What are the core information security concepts we should be concerned with? What issues exist with the current requirements? How would you fix the current requirements? © Copyright 2011 Coveros, Inc.. All rights reserved. 21 Exercise Formal Authentication Use/Misuse Case Artifact Enter username and password Threatens SecureChat User User authentication Brute Force Attack Mitigates Show generic error message Guess User Accounts Mitigates Lock account after N failed login attempts SecureChat Server Hacker Mitigates Dictionary Attacks Mitigates Validate password minimum length and complexity © Copyright 2011 Coveros, Inc.. All rights reserved. 22 11
9/5/2012 Non-Functional Requirements Your Standard Definition Non-Functional Requirements: These are constraints on the services or functions offered by the system. They include timing constraints, constraints on the development process and standards. Non-functional requirements often apply to the system as a whole. They do not usually just apply to individual system features or services. Where does the Security fit in? These are security related architectural requirements, like "robustness" or "minimal performance and scalability". This requirement type is typically derived from architectural principals and good practice standards. They could also be required activities during development like “coding guidelines”, “data classification” and “test methodology”. © Copyright 2011 Coveros, Inc.. All rights reserved. 23 Non-Functional Requirements Examples SecureChat shall ensure that data is protected from unauthorized access at all times. SecureChat shall have an availability of 99.9%. SecureChat shall process a minimum of 8 transactions per second. Each SecureChat build must undergo static-analysis prior to release. All external communications between the application and the SecureChat central servers must be encrypted. © Copyright 2011 Coveros, Inc.. All rights reserved. 24 12
9/5/2012 Security testing during definition and design Architectural and Design Reviews Architectural and design reviews focus on determining whether the stated architecture / design enforces the appropriate level of security as defined in the requirements. Typically performed by security architects and/or other software leads within the organization. Examines these artifacts for flaws such as: – Violation of trust boundaries – Distributed control of authorization – Custom algorithms for cryptography / random number generation © Copyright 2011 Coveros, Inc.. All rights reserved. 25 Security testing during definition and design Assessing your risk – Answers the ‘so what?’ question Identifying threats and flaws in your design only result in better security if the flaws are mitigated to minimize the threat. But at what cost to the organization? What benefit? How do you convince management to fund mitigation efforts? © Copyright 2011 Coveros, Inc.. All rights reserved. 26 13
9/5/2012 Security testing during definition and design Threat modeling / risk assessment Threat modeling – a process by which any threats to a piece of software are identified and mitigated A variety of approaches exist for doing threat modeling Microsoft STRIDE model – – – – Diagram your system – high level dataflow diagrams Identify threats – each type of entity/interaction has enemies Mitigate threats – determine security controls Validate mitigations – test effectiveness of these controls The basis for comprehensive security testing © Copyright 2011 Coveros, Inc.. All rights reserved. 27 Security testing during definition and design Risk Assessments Information on architectural flaws and known threats from our threat model are often combined together to estimate the likelihood and consequence of a flaw resulting in significant business impact Highly Likely Likely Unlikely Business-critical High priority Priority Priority Business concern High priority Priority Not a Priority Minor or cosmetic Not a Priority Not a Priority Not a Priority © Copyright 2011 Coveros, Inc.. All rights reserved. 28 14
9/5/2012 Exercise Risk Assessment Your company, SecureTelco, has developed an instant messaging program to be used for private use in customers homes and for companies and government agencies. SecureChat requires users to sign up with an account prior to using the system. After authenticating with a username and password, each user can message other users and expect their conversations to be private. Users have the ability to add/remove friends from their contact list, search for friends based on their email, block users from IMing them, become “invisible” to all users on demand. Messages archives and activities logs document user behavior and can be retrieved by the user or a SecreTelco Administrator through the application or by the administrative console, respectively. © Copyright 2011 Coveros, Inc.. All rights reserved. 29 Exercise Risk Assessment Highly Likely Likely Unlikely Business-critical High priority Priority Priority Business concern High priority Priority Not a Priority Minor or cosmetic Not a Priority Not a Priority Not a Priority © Copyright 2011 Coveros, Inc.. All rights reserved. 30 15
9/5/2012 Exercise Risk Assessment Discussion What threats exist for this application? What features, if implemented incorrectly, provide a threat with an opportunity and how big would it be? What would be your business justification for correcting these issues? © Copyright 2011 Coveros, Inc.. All rights reserved. 31 Test strategy and planning Overview A security test strategy should include the inputs to the individual test plans and test plans that include: – A specification of what types of tests should be performed, – A specification of which what point in the delivery process should they be performed, – What the expected output of each test plan is. The extent of your strategy obviously depends on the scale of the project you're running, but much of this content is reusable in smaller more focused projects or in more agile security engineering programs. © Copyright 2011 Coveros, Inc.. All rights reserved. 32 16
9/5/2012 Developing a security test plan What should be included? Describe and detail your process and procedures for security testing – – – – When should testing begin? How are test results reported? Who validates and verifies findings/results? When are vulnerabilities addressed? Types of tests you should include in your test plan: – – – – Security Feature Testing Risk Based Testing of functional and non-functional requirements Internal Penetration Tests External (Independent) Penetration Tests © Copyright 2011 Coveros, Inc.. All rights reserved. 33 Integrating security requirements in test plans Know your Security Requirements It is important that each tester understand the security requirements for your application and what they imply. Often Security requirements may come in conflict with another type of requirement. If there are conflicts, it is important that you identify those concerns and the requirements are clarified by a Business Analyst. In most organizations, security requirements are not well defined if it all. A general rule of thumb: Make sure your core information security concepts are all covered. If not, request that they are. Understand which security requirements are functional and which are non-functional, this will have an impact how you plan to test them. © Copyright 2011 Coveros, Inc.. All rights reserved. 34 17
9/5/2012 Integrating security requirements in test plans Testing Security Requirements Feature testing covers positive security requirements. This typically ensures the software behaves according to customer expectations. Example – If security requirements state that the length of any user input must be validated, then a feature test suite should be created to exercise the application inputs and verify that this requirement is implemented correctly. Testers should also cover negative security testing or RiskDriven testing. Each test is intended to probe for a specific risk or vulnerability. These risk may have been identified during your risk assessment. Example – Cross Site Scripting and SQL Injection; These vulnerabilities are not obviously features of the application, therefore the fall under the negative security requirements umbrella. © Copyright 2011 Coveros, Inc.. All rights reserved. 35 Security testing during implementation Overview Testing activities during implementation focus on assuring that the software is implemented properly according to its requirements and design Key activities during implementation include: – Secure code review – identifying security vulnerabilities in source code – Testing individual components/features for security – Testing requirements at the appropriate level © Copyright 2011 Coveros, Inc.. All rights reserved. 36 18
9/5/2012 Security testing during implementation Secure code review Secure code review identifies vulnerabilities within source code that potentially impact system security. Examples – Buffer overflows – Race conditions Secure code review is a combination of manual and automated analysis – Tool providers: HP Fortify, IBM Ounce, Coverity Secure code review is typically done by developers or a dedicated security team © Copyright 2011 Coveros, Inc.. All rights reserved. 37 Security testing during implementation Testing components and features The testing of components and individual features will identify code that improperly implements functionality against its requirements. While some feature testing has historically been done at the system level, more and more of this type of testing today is done on individual units / stories by either a developer or code savvy test engineer. Review of tests performed at this level should look for common gaps that lead to security issues: – Inadequate testing of error handling routines – Insufficient protection during system reboot – Forgetting to test administrative capabilities © Copyright 2011 Coveros, Inc.. All rights reserved. 38 19
9/5/2012 Security testing during implementation Testing common security controls Due to the security-critical nature of many of our applications, it is common to see the following security controls implemented within our software. Each must be validated in order to work! Authentication & Access Control Input Validation & Encoding Encryption User and Session Management Error and Exception Handling Auditing and Logging © Copyright 2011 Coveros, Inc.. All rights reserved. 39 Common Approaches to Authentication All About Authentication When we refer to authentication in computer security, we refer to the process of attempting to verify the digital identity of the sender of a communication. – A common example of such a process it the login process. – Authentication always depends upon using one or more authentication factors. Testing authentication schemas means understanding how the process works and using that information to circumvent the authentication mechanism. © Copyright 2011 Coveros, Inc.. All rights reserved. 40 20
9/5/2012 Common Approaches to Authentication Authentication Testing Schemas Credentials transport over an encrypted channel – The tester must try to understand if the data inputted by the user is transmitted using secure protocols that protect them from an attacker or not. Testing for user enumeration – The tester must verify if it is possible to collect a set of valid users by interacting with the authentication mechanism of the application. This will become useful for brute force testing. Testing for guessable (dictionary) user accounts – The tester must validate that there are no default user accounts or guessable username/password combinations Brute force testing – When dictionary attacks don’t succeed, the tester can attempt brute force methods to gain access. This is not often easy to accomplish because of time constraints. © Copyright 2011 Coveros, Inc.. All rights reserved. 41 Common Approaches to Authentication Authentication Testing Schemas (cont.) Testing for bypassing authentication schema – The tester must validate that other application resources are adequately protected, and can’t be used to bypass authentication using those other resources. Testing for vulnerable remember password and password reset features – The tester must analyze how the application manages the process of “password resets”. The tester must all check whether the application allows the user to store passwords in the browser. Testing for logout and browser cache management – The tester must check that the logout and caching functions are properly implemented. © Copyright 2011 Coveros, Inc.. All rights reserved. 42 21
9/5/2012 Common Approaches to Authentication Authentication Testing Schemas (cont.) Testing for CAPTCHA – Used by many applications to ensure the response is not generated by a computer, CAPTCHA (“Completely Automated Public Trust test to tell Computers and Humans Apart”) implementations are often vulnerable to various kinds of attacks. Testing multiple factor authentication – The tester must test the following scenarios: One Time Password Generator Tokens Crypto devices like USB tokens or smart cards X.509 Certificates Random OTP sent via SMS Testing for race conditions – The tester must ensure that an unexpected result on a multithread application doesn’t create an authentication flaw. By their nature, Race Conditions are difficult to test for © Copyright 2011 Coveros, Inc.. All rights reserved. 43 Common Approaches to Authentication Authentication Testing Schemas (cont.) Testing for session management schema – The tester must test the security of a session tokens issues to the client browser: How to reverse engineer a cookie How to manipulate cookies to hijack a session Testing for cookie attributes – The tester must check if an application can take the necessary precautions when assigning cookies and test the cookie attributes. Testing for session fixation – The tester must validate that an application renews the cookie after a successful user authentication, so that an attacker could not utilize a session fixation vulnerability. © Copyright 2011 Coveros, Inc.. All rights reserved. 44 22
9/5/2012 Common Approaches to Authentication Authentication Testing Schemas (cont.) Testing for exposed session variables – The tester must validate that it is not possible to create a replay session attack utilizing exposed session information. Testing for CSRF (Cross Site Request Forgery) – The tester must ensure that there is not a way to force an unknowing user to execute unwanted actions on a web application they are authenticated on. © Copyright 2011 Coveros, Inc.. All rights reserved. 45 Security testing during implementation Risk-based Testing Risk-based Testing focuses on testing that the risks identified during threat modeling and design reviews were properly mitigated in the code Define negative tests that validate these issues have been mitigated. Perform these tests at whatever level is appropriate to identify any remaining vulnerabilities. © Copyright 2011 Coveros, Inc.. All rights reserved. 46 23
9/5/2012 Security testing during implementation Integration and Systems Testing Testing non-functional security requirements that span features within the system Includes Web Application Security testing of any web-based interfaces Often includes Penetration Testing type activities to “test like a hacker” – – – – Fuzzing Password crackers Network port scanners Dynamic input strings © Copyright 2011 Coveros, Inc.. All rights reserved. 47 Security testing during deployment Overview Testing during the deployment process focuses on those tests that cannot be adequately completed within a development/QA environment plus any third party IV&V – Penetration testing – Load and performance testing (for availability) – Configuration testing Penetration testing is typically done by a team of security experts © Copyright 2011 Coveros, Inc.. All rights reserved. 48 24
9/5/2012 Security testing during maintenance / support Overview Testing during maintenance and support focuses on: – Assuring that any identified vulnerabilities within the application, supporting software, or network configuration are patched and revalidated © Copyright 2011 Coveros, Inc.. All rights reserved. 49 © Copyright 2011 Coveros, Inc.. All rights reserved. 50 Supporting tools 25
9/5/2012 Tools to Support Security Testing Secure Code Scanners Where to use? – Analyze source code for inherent vulnerabilities and/or compliance with secure coding standards Free Tools – – – – FxCop FindBugs RATS clang Paid Tools – HP Fortify – IBM Ounce – Coverity © Copyright 2011 Coveros, Inc.. All rights reserved. 51 Tools to Support Security Testing Web Application Scanners Where to use? – Looking for XSS, Injection and input validation vulnerabilities; some tools will attempt to actively exploit vulnerabilities. Free Tools – – – – – Nikto W3af Paros Skipfish wfuzz Paid Tools – Netsparker – WebSecurify © Copyright 2011 Coveros, Inc.. All rights reserved. 52 26
9/5/2012 Tools to Support Security Testing Password Crackers/Brute Force Tools Where to use? – When you want to break the default credentials or test your authentication mechanisms against common security tools. Free Tools – THC Hydra – Cain and Abel – Wfuzz Paid Tools – John the Ripper © Copyright 2011 Coveros, Inc.. All rights reserved. 53 Tools to Support Security Testing Network Security Tools Where to use? – Scanning for mis-configurations – Testing for OS, application and network vulnerabilities Free Tools – OpenVAS Paid Tools – Nessus – Core Impact © Copyright 2011 Coveros, Inc.. All rights reserved. 54 27
9/5/2012 Questions? Contact Information: Jeffery Payne Jeff.payne@coveros.com 703.431.2920 © Copyright 2011 Coveros, Inc.. All rights reserved. 55 28

Recomendados

Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing Professionals
TechWell
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test Professionals
TechWell
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing Professionals
TechWell
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing Professionals
TechWell
 
Key Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales PresentationKey Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales Presentation
rfragola
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security Engineering
Marco Morana
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of Things
Eric Vétillard
 
Intel HIMSS WoHIT mhealth
Intel HIMSS WoHIT mhealthIntel HIMSS WoHIT mhealth
Intel HIMSS WoHIT mhealth
rcnossen
 

Recomendados

Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing Professionals
TechWell
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test Professionals
TechWell
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing Professionals
TechWell
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing Professionals
TechWell
 
Key Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales PresentationKey Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales Presentation
rfragola
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security Engineering
Marco Morana
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of Things
Eric Vétillard
 
Intel HIMSS WoHIT mhealth
Intel HIMSS WoHIT mhealthIntel HIMSS WoHIT mhealth
Intel HIMSS WoHIT mhealth
rcnossen
 
ENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONS
ENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONSENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONS
ENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONS
IJMIT JOURNAL
 
Designing your applications with a security twist 2007
Designing your applications with a security twist 2007Designing your applications with a security twist 2007
Designing your applications with a security twist 2007
Blue Slate Solutions
 
Top 10 tips for effective SOC/NOC collaboration or integration
Top 10 tips for effective SOC/NOC collaboration or integrationTop 10 tips for effective SOC/NOC collaboration or integration
Top 10 tips for effective SOC/NOC collaboration or integration
Sridhar Karnam
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLC
BDPA Charlotte - Information Technology Thought Leaders
 
Software Security Testing
Software Security TestingSoftware Security Testing
Software Security Testing
ankitmehta21
 
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Falgun Rathod
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
Denim Group
 
Key Challenges Facing IT/OT: Hear From The Experts
Key Challenges Facing IT/OT: Hear From The ExpertsKey Challenges Facing IT/OT: Hear From The Experts
Key Challenges Facing IT/OT: Hear From The Experts
Tripwire
 
Common 2009 Getting Started On The Road To Compliance
Common 2009 Getting Started On The Road To ComplianceCommon 2009 Getting Started On The Road To Compliance
Common 2009 Getting Started On The Road To Compliance
imigrnt
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Sounil Yu
 
Secure Android Apps- nVisium Security
Secure Android Apps- nVisium SecuritySecure Android Apps- nVisium Security
Secure Android Apps- nVisium Security
Jack Mannino
 
ESSENTIAL ACTIVITIES FOR SECURE SOFTWARE DEVELOPMENT
ESSENTIAL ACTIVITIES FOR SECURE SOFTWARE DEVELOPMENTESSENTIAL ACTIVITIES FOR SECURE SOFTWARE DEVELOPMENT
ESSENTIAL ACTIVITIES FOR SECURE SOFTWARE DEVELOPMENT
ijesajournal
 
Cyber security innovation_imho v4
Cyber security innovation_imho v4Cyber security innovation_imho v4
Cyber security innovation_imho v4
W Fred Seigneur
 
Social Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouSocial Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell You
Denim Group
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data Breach
Anchises Moraes
 
Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011
Atlantic Security Conference
 
PAS: Leveraging IT/OT - Convergence and Developing Effective OT Cybersecurity
PAS: Leveraging IT/OT - Convergence and Developing Effective OT CybersecurityPAS: Leveraging IT/OT - Convergence and Developing Effective OT Cybersecurity
PAS: Leveraging IT/OT - Convergence and Developing Effective OT Cybersecurity
Mighty Guides, Inc.
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit Program
Michael Davis
 
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply ChainSFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
South Tyrol Free Software Conference
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
Denim Group
 
Hybrid Security Analysis: Bridging the Gap between Inside-Out and Outside-In
Hybrid Security Analysis: Bridging the Gap between Inside-Out and Outside-InHybrid Security Analysis: Bridging the Gap between Inside-Out and Outside-In
Hybrid Security Analysis: Bridging the Gap between Inside-Out and Outside-In
TechWell
 
Building Quality In
Building Quality InBuilding Quality In
Building Quality In
TechWell
 

Más contenido relacionado

La actualidad más candente

Software Security Testing
Software Security TestingSoftware Security Testing
Software Security Testing
ankitmehta21
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
Denim Group
 
ESSENTIAL ACTIVITIES FOR SECURE SOFTWARE DEVELOPMENT
ESSENTIAL ACTIVITIES FOR SECURE SOFTWARE DEVELOPMENTESSENTIAL ACTIVITIES FOR SECURE SOFTWARE DEVELOPMENT
ESSENTIAL ACTIVITIES FOR SECURE SOFTWARE DEVELOPMENT
ijesajournal
 
Cyber security innovation_imho v4
Cyber security innovation_imho v4Cyber security innovation_imho v4
Cyber security innovation_imho v4
W Fred Seigneur
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data Breach
Anchises Moraes
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
Denim Group
 

La actualidad más candente (20)

ENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONS
ENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONSENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONS
ENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONS
 
Designing your applications with a security twist 2007
Designing your applications with a security twist 2007Designing your applications with a security twist 2007
Designing your applications with a security twist 2007
 
Top 10 tips for effective SOC/NOC collaboration or integration
Top 10 tips for effective SOC/NOC collaboration or integrationTop 10 tips for effective SOC/NOC collaboration or integration
Top 10 tips for effective SOC/NOC collaboration or integration
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLC
 
Software Security Testing
Software Security TestingSoftware Security Testing
Software Security Testing
 
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
 
Key Challenges Facing IT/OT: Hear From The Experts
Key Challenges Facing IT/OT: Hear From The ExpertsKey Challenges Facing IT/OT: Hear From The Experts
Key Challenges Facing IT/OT: Hear From The Experts
 
Common 2009 Getting Started On The Road To Compliance
Common 2009 Getting Started On The Road To ComplianceCommon 2009 Getting Started On The Road To Compliance
Common 2009 Getting Started On The Road To Compliance
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
 
Secure Android Apps- nVisium Security
Secure Android Apps- nVisium SecuritySecure Android Apps- nVisium Security
Secure Android Apps- nVisium Security
 
ESSENTIAL ACTIVITIES FOR SECURE SOFTWARE DEVELOPMENT
ESSENTIAL ACTIVITIES FOR SECURE SOFTWARE DEVELOPMENTESSENTIAL ACTIVITIES FOR SECURE SOFTWARE DEVELOPMENT
ESSENTIAL ACTIVITIES FOR SECURE SOFTWARE DEVELOPMENT
 
Cyber security innovation_imho v4
Cyber security innovation_imho v4Cyber security innovation_imho v4
Cyber security innovation_imho v4
 
Social Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouSocial Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell You
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data Breach
 
Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011
 
PAS: Leveraging IT/OT - Convergence and Developing Effective OT Cybersecurity
PAS: Leveraging IT/OT - Convergence and Developing Effective OT CybersecurityPAS: Leveraging IT/OT - Convergence and Developing Effective OT Cybersecurity
PAS: Leveraging IT/OT - Convergence and Developing Effective OT Cybersecurity
 
Applicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit ProgramApplicaiton Security - Building The Audit Program
Applicaiton Security - Building The Audit Program
 
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply ChainSFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
 

Destacado

Hybrid Security Analysis: Bridging the Gap between Inside-Out and Outside-In
Hybrid Security Analysis: Bridging the Gap between Inside-Out and Outside-InHybrid Security Analysis: Bridging the Gap between Inside-Out and Outside-In
Hybrid Security Analysis: Bridging the Gap between Inside-Out and Outside-In
TechWell
 
Building Quality In
Building Quality InBuilding Quality In
Building Quality In
TechWell
 
Distributed Agile Testing: Yes, You Can
Distributed Agile Testing: Yes, You CanDistributed Agile Testing: Yes, You Can
Distributed Agile Testing: Yes, You Can
TechWell
 
Reports of the Death of Testing Have Been Greatly Exaggerated
Reports of the Death of Testing Have Been Greatly ExaggeratedReports of the Death of Testing Have Been Greatly Exaggerated
Reports of the Death of Testing Have Been Greatly Exaggerated
TechWell
 
Cutting-edge Performance Testing on eCommerce Websites
Cutting-edge Performance Testing on eCommerce WebsitesCutting-edge Performance Testing on eCommerce Websites
Cutting-edge Performance Testing on eCommerce Websites
TechWell
 
The Challenges of BIG Testing: Automation, Virtualization, Outsourcing, and More
The Challenges of BIG Testing: Automation, Virtualization, Outsourcing, and MoreThe Challenges of BIG Testing: Automation, Virtualization, Outsourcing, and More
The Challenges of BIG Testing: Automation, Virtualization, Outsourcing, and More
TechWell
 
Rob Sabourin: On Testing
Rob Sabourin: On TestingRob Sabourin: On Testing
Rob Sabourin: On Testing
TechWell
 
The Agile Tester’s Mindset
The Agile Tester’s MindsetThe Agile Tester’s Mindset
The Agile Tester’s Mindset
TechWell
 
Creative Techniques for Discovering Test Ideas
Creative Techniques for Discovering Test IdeasCreative Techniques for Discovering Test Ideas
Creative Techniques for Discovering Test Ideas
TechWell
 
Building a Team Backlog: The Power of Retrospectives
Building a Team Backlog: The Power of RetrospectivesBuilding a Team Backlog: The Power of Retrospectives
Building a Team Backlog: The Power of Retrospectives
TechWell
 
Seven Deadly Habits of Dysfunctional Software Managers
Seven Deadly Habits of Dysfunctional Software ManagersSeven Deadly Habits of Dysfunctional Software Managers
Seven Deadly Habits of Dysfunctional Software Managers
TechWell
 
Building Hyperproductive Agile Teams: Leveraging What Science Knows
Building Hyperproductive Agile Teams: Leveraging What Science KnowsBuilding Hyperproductive Agile Teams: Leveraging What Science Knows
Building Hyperproductive Agile Teams: Leveraging What Science Knows
TechWell
 
Team Leadership: Telling Your Testing Stories
Team Leadership: Telling Your Testing StoriesTeam Leadership: Telling Your Testing Stories
Team Leadership: Telling Your Testing Stories
TechWell
 

Destacado (14)

Hybrid Security Analysis: Bridging the Gap between Inside-Out and Outside-In
Hybrid Security Analysis: Bridging the Gap between Inside-Out and Outside-InHybrid Security Analysis: Bridging the Gap between Inside-Out and Outside-In
Hybrid Security Analysis: Bridging the Gap between Inside-Out and Outside-In
 
Building Quality In
Building Quality InBuilding Quality In
Building Quality In
 
Distributed Agile Testing: Yes, You Can
Distributed Agile Testing: Yes, You CanDistributed Agile Testing: Yes, You Can
Distributed Agile Testing: Yes, You Can
 
Reports of the Death of Testing Have Been Greatly Exaggerated
Reports of the Death of Testing Have Been Greatly ExaggeratedReports of the Death of Testing Have Been Greatly Exaggerated
Reports of the Death of Testing Have Been Greatly Exaggerated
 
Cutting-edge Performance Testing on eCommerce Websites
Cutting-edge Performance Testing on eCommerce WebsitesCutting-edge Performance Testing on eCommerce Websites
Cutting-edge Performance Testing on eCommerce Websites
 
The Challenges of BIG Testing: Automation, Virtualization, Outsourcing, and More
The Challenges of BIG Testing: Automation, Virtualization, Outsourcing, and MoreThe Challenges of BIG Testing: Automation, Virtualization, Outsourcing, and More
The Challenges of BIG Testing: Automation, Virtualization, Outsourcing, and More
 
Rob Sabourin: On Testing
Rob Sabourin: On TestingRob Sabourin: On Testing
Rob Sabourin: On Testing
 
The Agile Tester’s Mindset
The Agile Tester’s MindsetThe Agile Tester’s Mindset
The Agile Tester’s Mindset
 
Creative Techniques for Discovering Test Ideas
Creative Techniques for Discovering Test IdeasCreative Techniques for Discovering Test Ideas
Creative Techniques for Discovering Test Ideas
 
Building a Team Backlog: The Power of Retrospectives
Building a Team Backlog: The Power of RetrospectivesBuilding a Team Backlog: The Power of Retrospectives
Building a Team Backlog: The Power of Retrospectives
 
Seven Deadly Habits of Dysfunctional Software Managers
Seven Deadly Habits of Dysfunctional Software ManagersSeven Deadly Habits of Dysfunctional Software Managers
Seven Deadly Habits of Dysfunctional Software Managers
 
Building Hyperproductive Agile Teams: Leveraging What Science Knows
Building Hyperproductive Agile Teams: Leveraging What Science KnowsBuilding Hyperproductive Agile Teams: Leveraging What Science Knows
Building Hyperproductive Agile Teams: Leveraging What Science Knows
 
W18
W18W18
W18
 
Team Leadership: Telling Your Testing Stories
Team Leadership: Telling Your Testing StoriesTeam Leadership: Telling Your Testing Stories
Team Leadership: Telling Your Testing Stories
 

Similar a Security Testing for Testing Professionals

Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test Professionals
TechWell
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test Professionals
TechWell
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile Apps
TechWell
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docx
wkyra78
 
Mobile Applications Testing: From Concepts to Practice
Mobile Applications Testing: From Concepts to PracticeMobile Applications Testing: From Concepts to Practice
Mobile Applications Testing: From Concepts to Practice
TechWell
 
六合彩香港-六合彩
六合彩香港-六合彩六合彩香港-六合彩
六合彩香港-六合彩
baoyin
 
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares theCriterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
CruzIbarra161
 
CMIT 321 Executive Proposal ProjectThe purpose of this project i.docx
CMIT 321 Executive Proposal ProjectThe purpose of this project i.docxCMIT 321 Executive Proposal ProjectThe purpose of this project i.docx
CMIT 321 Executive Proposal ProjectThe purpose of this project i.docx
clarebernice
 

Similar a Security Testing for Testing Professionals (20)

Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test Professionals
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test Professionals
 
Security is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White PaperSecurity is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White Paper
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile Apps
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docx
 
JavaOne2013: Secure Engineering Practices for Java
JavaOne2013: Secure Engineering Practices for JavaJavaOne2013: Secure Engineering Practices for Java
JavaOne2013: Secure Engineering Practices for Java
 
Mobile Applications Testing: From Concepts to Practice
Mobile Applications Testing: From Concepts to PracticeMobile Applications Testing: From Concepts to Practice
Mobile Applications Testing: From Concepts to Practice
 
Secure Engineering Practices for Java
Secure Engineering Practices for JavaSecure Engineering Practices for Java
Secure Engineering Practices for Java
 
六合彩香港-六合彩
六合彩香港-六合彩六合彩香港-六合彩
六合彩香港-六合彩
 
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdfCisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
Cisco_eBook_ShiftLeftSecurity_2022_06_07a.pdf
 
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares theCriterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
 
CMIT 321 Executive Proposal ProjectThe purpose of this project i.docx
CMIT 321 Executive Proposal ProjectThe purpose of this project i.docxCMIT 321 Executive Proposal ProjectThe purpose of this project i.docx
CMIT 321 Executive Proposal ProjectThe purpose of this project i.docx
 
Information security software security presentation.pptx
Information security software security presentation.pptxInformation security software security presentation.pptx
Information security software security presentation.pptx
 
Selecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuideSelecting an App Security Testing Partner: An eGuide
Selecting an App Security Testing Partner: An eGuide
 
Procuring an Application Security Testing Partner
Procuring an Application Security Testing PartnerProcuring an Application Security Testing Partner
Procuring an Application Security Testing Partner
 
Introduction to Application Security Testing
Introduction to Application Security TestingIntroduction to Application Security Testing
Introduction to Application Security Testing
 
Complete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesComplete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resources
 
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESCOMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
 
CMIT 321 EXECUTIVE PROPOSAL PROJECT
CMIT 321 EXECUTIVE PROPOSAL PROJECTCMIT 321 EXECUTIVE PROPOSAL PROJECT
CMIT 321 EXECUTIVE PROPOSAL PROJECT
 
Security Testing In The Secured World
Security Testing In The Secured WorldSecurity Testing In The Secured World
Security Testing In The Secured World
 

Más de TechWell

Failing and Recovering
Failing and RecoveringFailing and Recovering
Failing and Recovering
TechWell
 
Instill a DevOps Testing Culture in Your Team and Organization
Instill a DevOps Testing Culture in Your Team and Organization Instill a DevOps Testing Culture in Your Team and Organization
Instill a DevOps Testing Culture in Your Team and Organization
TechWell
 
Test Design for Fully Automated Build Architecture
Test Design for Fully Automated Build ArchitectureTest Design for Fully Automated Build Architecture
Test Design for Fully Automated Build Architecture
TechWell
 
System-Level Test Automation: Ensuring a Good Start
System-Level Test Automation: Ensuring a Good StartSystem-Level Test Automation: Ensuring a Good Start
System-Level Test Automation: Ensuring a Good Start
TechWell
 
Build Your Mobile App Quality and Test Strategy
Build Your Mobile App Quality and Test StrategyBuild Your Mobile App Quality and Test Strategy
Build Your Mobile App Quality and Test Strategy
TechWell
 
Testing Transformation: The Art and Science for Success
Testing Transformation: The Art and Science for SuccessTesting Transformation: The Art and Science for Success
Testing Transformation: The Art and Science for Success
TechWell
 
Implement BDD with Cucumber and SpecFlow
Implement BDD with Cucumber and SpecFlowImplement BDD with Cucumber and SpecFlow
Implement BDD with Cucumber and SpecFlow
TechWell
 
Develop WebDriver Automated Tests—and Keep Your Sanity
Develop WebDriver Automated Tests—and Keep Your SanityDevelop WebDriver Automated Tests—and Keep Your Sanity
Develop WebDriver Automated Tests—and Keep Your Sanity
TechWell
 
Ma 15
Ma 15Ma 15
Ma 15
TechWell
 
Eliminate Cloud Waste with a Holistic DevOps Strategy
Eliminate Cloud Waste with a Holistic DevOps StrategyEliminate Cloud Waste with a Holistic DevOps Strategy
Eliminate Cloud Waste with a Holistic DevOps Strategy
TechWell
 
Transform Test Organizations for the New World of DevOps
Transform Test Organizations for the New World of DevOpsTransform Test Organizations for the New World of DevOps
Transform Test Organizations for the New World of DevOps
TechWell
 
The Fourth Constraint in Project Delivery—Leadership
The Fourth Constraint in Project Delivery—LeadershipThe Fourth Constraint in Project Delivery—Leadership
The Fourth Constraint in Project Delivery—Leadership
TechWell
 
Resolve the Contradiction of Specialists within Agile Teams
Resolve the Contradiction of Specialists within Agile TeamsResolve the Contradiction of Specialists within Agile Teams
Resolve the Contradiction of Specialists within Agile Teams
TechWell
 
Pin the Tail on the Metric: A Field-Tested Agile Game
Pin the Tail on the Metric: A Field-Tested Agile GamePin the Tail on the Metric: A Field-Tested Agile Game
Pin the Tail on the Metric: A Field-Tested Agile Game
TechWell
 
Agile Performance Holarchy (APH)—A Model for Scaling Agile Teams
Agile Performance Holarchy (APH)—A Model for Scaling Agile TeamsAgile Performance Holarchy (APH)—A Model for Scaling Agile Teams
Agile Performance Holarchy (APH)—A Model for Scaling Agile Teams
TechWell
 
A Business-First Approach to DevOps Implementation
A Business-First Approach to DevOps ImplementationA Business-First Approach to DevOps Implementation
A Business-First Approach to DevOps Implementation
TechWell
 
Databases in a Continuous Integration/Delivery Process
Databases in a Continuous Integration/Delivery ProcessDatabases in a Continuous Integration/Delivery Process
Databases in a Continuous Integration/Delivery Process
TechWell
 
Mobile Testing: What—and What Not—to Automate
Mobile Testing: What—and What Not—to AutomateMobile Testing: What—and What Not—to Automate
Mobile Testing: What—and What Not—to Automate
TechWell
 
Cultural Intelligence: A Key Skill for Success
Cultural Intelligence: A Key Skill for SuccessCultural Intelligence: A Key Skill for Success
Cultural Intelligence: A Key Skill for Success
TechWell
 
Turn the Lights On: A Power Utility Company's Agile Transformation
Turn the Lights On: A Power Utility Company's Agile TransformationTurn the Lights On: A Power Utility Company's Agile Transformation
Turn the Lights On: A Power Utility Company's Agile Transformation
TechWell
 

Más de TechWell (20)

Failing and Recovering
Failing and RecoveringFailing and Recovering
Failing and Recovering
 
Instill a DevOps Testing Culture in Your Team and Organization
Instill a DevOps Testing Culture in Your Team and Organization Instill a DevOps Testing Culture in Your Team and Organization
Instill a DevOps Testing Culture in Your Team and Organization
 
Test Design for Fully Automated Build Architecture
Test Design for Fully Automated Build ArchitectureTest Design for Fully Automated Build Architecture
Test Design for Fully Automated Build Architecture
 
System-Level Test Automation: Ensuring a Good Start
System-Level Test Automation: Ensuring a Good StartSystem-Level Test Automation: Ensuring a Good Start
System-Level Test Automation: Ensuring a Good Start
 
Build Your Mobile App Quality and Test Strategy
Build Your Mobile App Quality and Test StrategyBuild Your Mobile App Quality and Test Strategy
Build Your Mobile App Quality and Test Strategy
 
Testing Transformation: The Art and Science for Success
Testing Transformation: The Art and Science for SuccessTesting Transformation: The Art and Science for Success
Testing Transformation: The Art and Science for Success
 
Implement BDD with Cucumber and SpecFlow
Implement BDD with Cucumber and SpecFlowImplement BDD with Cucumber and SpecFlow
Implement BDD with Cucumber and SpecFlow
 
Develop WebDriver Automated Tests—and Keep Your Sanity
Develop WebDriver Automated Tests—and Keep Your SanityDevelop WebDriver Automated Tests—and Keep Your Sanity
Develop WebDriver Automated Tests—and Keep Your Sanity
 
Ma 15
Ma 15Ma 15
Ma 15
 
Eliminate Cloud Waste with a Holistic DevOps Strategy
Eliminate Cloud Waste with a Holistic DevOps StrategyEliminate Cloud Waste with a Holistic DevOps Strategy
Eliminate Cloud Waste with a Holistic DevOps Strategy
 
Transform Test Organizations for the New World of DevOps
Transform Test Organizations for the New World of DevOpsTransform Test Organizations for the New World of DevOps
Transform Test Organizations for the New World of DevOps
 
The Fourth Constraint in Project Delivery—Leadership
The Fourth Constraint in Project Delivery—LeadershipThe Fourth Constraint in Project Delivery—Leadership
The Fourth Constraint in Project Delivery—Leadership
 
Resolve the Contradiction of Specialists within Agile Teams
Resolve the Contradiction of Specialists within Agile TeamsResolve the Contradiction of Specialists within Agile Teams
Resolve the Contradiction of Specialists within Agile Teams
 
Pin the Tail on the Metric: A Field-Tested Agile Game
Pin the Tail on the Metric: A Field-Tested Agile GamePin the Tail on the Metric: A Field-Tested Agile Game
Pin the Tail on the Metric: A Field-Tested Agile Game
 
Agile Performance Holarchy (APH)—A Model for Scaling Agile Teams
Agile Performance Holarchy (APH)—A Model for Scaling Agile TeamsAgile Performance Holarchy (APH)—A Model for Scaling Agile Teams
Agile Performance Holarchy (APH)—A Model for Scaling Agile Teams
 
A Business-First Approach to DevOps Implementation
A Business-First Approach to DevOps ImplementationA Business-First Approach to DevOps Implementation
A Business-First Approach to DevOps Implementation
 
Databases in a Continuous Integration/Delivery Process
Databases in a Continuous Integration/Delivery ProcessDatabases in a Continuous Integration/Delivery Process
Databases in a Continuous Integration/Delivery Process
 
Mobile Testing: What—and What Not—to Automate
Mobile Testing: What—and What Not—to AutomateMobile Testing: What—and What Not—to Automate
Mobile Testing: What—and What Not—to Automate
 
Cultural Intelligence: A Key Skill for Success
Cultural Intelligence: A Key Skill for SuccessCultural Intelligence: A Key Skill for Success
Cultural Intelligence: A Key Skill for Success
 
Turn the Lights On: A Power Utility Company's Agile Transformation
Turn the Lights On: A Power Utility Company's Agile TransformationTurn the Lights On: A Power Utility Company's Agile Transformation
Turn the Lights On: A Power Utility Company's Agile Transformation
 

Último

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

Último (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 

Security Testing for Testing Professionals

  • 1. TE AM Tutorial 4/30/13 8:30AM Security Testing for Testing Professionals Presented by: Jeff Payne Coveros, Inc. Brought to you by: 340 Corporate Way, Suite 300, Orange Park, FL 32073 888-268-8770 ∙ 904-278-0524 ∙ sqeinfo@sqe.com ∙ www.sqe.com
  • 2. Jeff Payne Jeff Payne is CEO and founder of Coveros, Inc., a software company that builds secure software applications using agile methods. Since its inception in 2008, Coveros has become a market leader in secure agile principles and has been recognized by Inc. magazine as one of the fastest growing private US companies. Prior to founding Coveros, Jeff was chairman of the board, CEO, and cofounder of Cigital, Inc., a market leader in software security consulting. Jeff has published more than thirty papers on software development and testing, and testified before Congress on issues of national importance, including intellectual property rights, cyberterrorism, and software quality.
  • 3. 9/5/2012 Security Testing for Test Professionals © Copyright 2011 Coveros, Inc.. All rights reserved. 1 About Coveros Coveros helps organizations accelerate the delivery of secure, reliable software Our consulting services: – – – – Agile software development Application security Software quality assurance Software process improvement Corporate Partners Our key markets: – – – – Financial services Healthcare Defense Critical Infrastructure © Copyright 2011 Coveros, Inc.. All rights reserved. 2 1
  • 4. 9/5/2012 Agenda Introduction to Security Testing Security Testing Framework Appropriate Security Testing Tools Wrap up © Copyright 2011 Coveros, Inc.. All rights reserved. 3 Trainer Jeffery Payne Jeffery Payne is CEO and founder of Coveros, Inc., a software company that helps organizations accelerate the delivery of secure, reliable software. Coveros uses agile development methods and a proven software assurance framework to build security and quality into software from the ground up. Prior to founding Coveros, Jeffery was Chairman of the Board, CEO, and co-founder of Cigital, Inc. Under his direction, Cigital became a leader in software security and software quality solutions, helping clients mitigate the risk of software failure. Jeffery is a recognized software expert and popular speaker at both business and technology conferences on a variety of software quality, security, and agile development topics. He has also testified before Congress on issues of national importance, including intellectual property rights, cyber-terrorism, Software research funding, and software quality. © Copyright 2011 Coveros, Inc.. All rights reserved. 4 2
  • 5. 9/5/2012 Expectations What are your expectations for this tutorial? What do you wish to learn? What questions do you want answered? © Copyright 2011 Coveros, Inc.. All rights reserved. 5 Introduction to Security Testing © Copyright 2011 Coveros, Inc.. All rights reserved. 6 3
  • 6. 9/5/2012 What is Information Security? When you hear the term “Information Security” and “Security Testing”: What do you think they mean? What comes to mine? © Copyright 2011 Coveros, Inc.. All rights reserved. 7 What is Information Security? Definition of Information Security Information Security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. The key concepts of Information Security include: – – – – – Confidentiality Integrity Availability Authenticity Non-Repudiation © Copyright 2011 Coveros, Inc.. All rights reserved. 8 4
  • 7. 9/5/2012 The Software Security Problem Our IT systems are not castles any longer! © Copyright 2011 Coveros, Inc.. All rights reserved. 9 Understanding Risk How to Define Security Risk in Software Common Security Nomenclature – Risk: a possible future event which, if it occurs, will lead to an undesirable outcome – Threat: A potential cause of an undesirable outcome – Vulnerability: Any weakness, administrative process, or act of physical exposure that makes an information asset susceptible to exploit by a threat. – An exploit is a piece of software, a chunk of data, or sequence of commands that takes advantage of a vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic. © Copyright 2011 Coveros, Inc.. All rights reserved. 10 5
  • 8. 9/5/2012 Security Testing What? How? Security Testing is testing used to determine whether an information system protects its data from its threats. Security Testing is not a silver bullet for your enterprise security. Security Testing doesn’t fix your security, it only makes you aware of it. Security must be built into your software A sound Security Testing process performs testing activities: – – – – – Before development begins During requirements definition and software design During implementation During deployment During maintenance and operations © Copyright 2011 Coveros, Inc.. All rights reserved. 11 Security Testing Framework © Copyright 2011 Coveros, Inc.. All rights reserved. 12 6
  • 9. 9/5/2012 Security testing before development begins Overview “Testing” before development begins is really a QA function to assess the readiness of the organization to build secure software applications. Always remember that security testing evaluates the security posture of your applications, it does not build security in. Irrespective of your findings, do not become the “quality police”. © Copyright 2011 Coveros, Inc.. All rights reserved. 13 Security testing before development begins Review Security Policies and Standards Understand the policies and standards that have been adopted by the organization and their relationship to software security Examples: – – – – Privacy policies regarding your customer data Service level agreements with clients IT security standards you must adhere to PCI compliance activities for credit card transactions Your goal is to understand these policies and standards to the level that will allow you to validate security requirements and effectively test the end product against them © Copyright 2011 Coveros, Inc.. All rights reserved. 14 7
  • 10. 9/5/2012 Security testing before development begins Review Secure Software Development Lifecycle If the security of your software is an enterprise concern, the development team should be adhering to a defined secure software development lifecycle model. – Defines development activities that builds security in – Defines security testing activities performed by appropriate parties (development, testing, security org, operations, etc.) Common secure software development models – Microsoft’s Secure Development Lifecycle (SDL) – Coveros SecureAgile process – There are others as well Secure software standards – Secure coding standard © Copyright 2011 Coveros, Inc.. All rights reserved. 15 Security testing during definition and design Overview Testing activities during requirements definition and software design focus on assuring that security has been effectively integrated into software requirements and the overall architecture and design of the product Typical activities include: – – – – Security requirements development/validation Architecture and design reviews Threat modeling Test strategy and planning © Copyright 2011 Coveros, Inc.. All rights reserved. 16 8
  • 11. 9/5/2012 Security testing during definition and design What is a Security Requirement? Security Requirements describe functional and nonfunctional requirements that need to be satisfied in order to achieve the security attributes of an IT system or application. What does that mean? Security Requirements are formulated at different levels of abstraction and provide how the system should act, and what should not happen. The major difference you may notice is the use of “negative requirements”. We stop thinking about what the application should do and start thinking about how we can get it to do something it was never intended to. © Copyright 2011 Coveros, Inc.. All rights reserved. 17 Functional Requirements Your Standard Definition Functional Requirements: These are statements of services the system should provide, how the system should react to particular inputs and how the system should behave in particular situations. In some cases, the functional requirements may also have explicitly state what the system should not do. Where does the Security fit in? Each Functional Security Requirement utilizes uses case and misuse cases. These requirements reflect potential threats to the system. © Copyright 2011 Coveros, Inc.. All rights reserved. 18 9
  • 12. 9/5/2012 Exercise Functional Security Requirements Break into teams of 2-3 people. Each team will identify potential misuse cases with the following security requirement, if any exist. If a misuse case is identified, write a replacement or additional functional requirement(s). – It would be best to make sure no misuse cases can be derived from your new requirement(s). Exercise Time Limit: 15 Minutes © Copyright 2011 Coveros, Inc.. All rights reserved. 19 Exercise Functional Security Requirement SecureChat Authentication Requirements – When a user attempts to authenticate with a valid username and an invalid password, the application shall not authenticate the user and return them to the authentication page. – The system must alert the user that their attempt to authenticate has failed due to an incorrect password (“Invalid Password”) utilizing the standard error text formatting. – When a user attempts to authenticate with a invalid username, the application shall not authenticate the user and return them to the authentication page. – The system must alert the user that their attempt to authenticate has failed due to an incorrect username (“Invalid Username”) utilizing the standard error text formatting. – What a user attempts to authenticate using a username and a valid password, the application shall authenticate the user and redirect them to the homepage. © Copyright 2011 Coveros, Inc.. All rights reserved. 20 10
  • 13. 9/5/2012 Exercise Functional Security Requirements Discussion How could an attacker attempt to thwart the system? What are the core information security concepts we should be concerned with? What issues exist with the current requirements? How would you fix the current requirements? © Copyright 2011 Coveros, Inc.. All rights reserved. 21 Exercise Formal Authentication Use/Misuse Case Artifact Enter username and password Threatens SecureChat User User authentication Brute Force Attack Mitigates Show generic error message Guess User Accounts Mitigates Lock account after N failed login attempts SecureChat Server Hacker Mitigates Dictionary Attacks Mitigates Validate password minimum length and complexity © Copyright 2011 Coveros, Inc.. All rights reserved. 22 11
  • 14. 9/5/2012 Non-Functional Requirements Your Standard Definition Non-Functional Requirements: These are constraints on the services or functions offered by the system. They include timing constraints, constraints on the development process and standards. Non-functional requirements often apply to the system as a whole. They do not usually just apply to individual system features or services. Where does the Security fit in? These are security related architectural requirements, like "robustness" or "minimal performance and scalability". This requirement type is typically derived from architectural principals and good practice standards. They could also be required activities during development like “coding guidelines”, “data classification” and “test methodology”. © Copyright 2011 Coveros, Inc.. All rights reserved. 23 Non-Functional Requirements Examples SecureChat shall ensure that data is protected from unauthorized access at all times. SecureChat shall have an availability of 99.9%. SecureChat shall process a minimum of 8 transactions per second. Each SecureChat build must undergo static-analysis prior to release. All external communications between the application and the SecureChat central servers must be encrypted. © Copyright 2011 Coveros, Inc.. All rights reserved. 24 12
  • 15. 9/5/2012 Security testing during definition and design Architectural and Design Reviews Architectural and design reviews focus on determining whether the stated architecture / design enforces the appropriate level of security as defined in the requirements. Typically performed by security architects and/or other software leads within the organization. Examines these artifacts for flaws such as: – Violation of trust boundaries – Distributed control of authorization – Custom algorithms for cryptography / random number generation © Copyright 2011 Coveros, Inc.. All rights reserved. 25 Security testing during definition and design Assessing your risk – Answers the ‘so what?’ question Identifying threats and flaws in your design only result in better security if the flaws are mitigated to minimize the threat. But at what cost to the organization? What benefit? How do you convince management to fund mitigation efforts? © Copyright 2011 Coveros, Inc.. All rights reserved. 26 13
  • 16. 9/5/2012 Security testing during definition and design Threat modeling / risk assessment Threat modeling – a process by which any threats to a piece of software are identified and mitigated A variety of approaches exist for doing threat modeling Microsoft STRIDE model – – – – Diagram your system – high level dataflow diagrams Identify threats – each type of entity/interaction has enemies Mitigate threats – determine security controls Validate mitigations – test effectiveness of these controls The basis for comprehensive security testing © Copyright 2011 Coveros, Inc.. All rights reserved. 27 Security testing during definition and design Risk Assessments Information on architectural flaws and known threats from our threat model are often combined together to estimate the likelihood and consequence of a flaw resulting in significant business impact Highly Likely Likely Unlikely Business-critical High priority Priority Priority Business concern High priority Priority Not a Priority Minor or cosmetic Not a Priority Not a Priority Not a Priority © Copyright 2011 Coveros, Inc.. All rights reserved. 28 14
  • 17. 9/5/2012 Exercise Risk Assessment Your company, SecureTelco, has developed an instant messaging program to be used for private use in customers homes and for companies and government agencies. SecureChat requires users to sign up with an account prior to using the system. After authenticating with a username and password, each user can message other users and expect their conversations to be private. Users have the ability to add/remove friends from their contact list, search for friends based on their email, block users from IMing them, become “invisible” to all users on demand. Messages archives and activities logs document user behavior and can be retrieved by the user or a SecreTelco Administrator through the application or by the administrative console, respectively. © Copyright 2011 Coveros, Inc.. All rights reserved. 29 Exercise Risk Assessment Highly Likely Likely Unlikely Business-critical High priority Priority Priority Business concern High priority Priority Not a Priority Minor or cosmetic Not a Priority Not a Priority Not a Priority © Copyright 2011 Coveros, Inc.. All rights reserved. 30 15
  • 18. 9/5/2012 Exercise Risk Assessment Discussion What threats exist for this application? What features, if implemented incorrectly, provide a threat with an opportunity and how big would it be? What would be your business justification for correcting these issues? © Copyright 2011 Coveros, Inc.. All rights reserved. 31 Test strategy and planning Overview A security test strategy should include the inputs to the individual test plans and test plans that include: – A specification of what types of tests should be performed, – A specification of which what point in the delivery process should they be performed, – What the expected output of each test plan is. The extent of your strategy obviously depends on the scale of the project you're running, but much of this content is reusable in smaller more focused projects or in more agile security engineering programs. © Copyright 2011 Coveros, Inc.. All rights reserved. 32 16
  • 19. 9/5/2012 Developing a security test plan What should be included? Describe and detail your process and procedures for security testing – – – – When should testing begin? How are test results reported? Who validates and verifies findings/results? When are vulnerabilities addressed? Types of tests you should include in your test plan: – – – – Security Feature Testing Risk Based Testing of functional and non-functional requirements Internal Penetration Tests External (Independent) Penetration Tests © Copyright 2011 Coveros, Inc.. All rights reserved. 33 Integrating security requirements in test plans Know your Security Requirements It is important that each tester understand the security requirements for your application and what they imply. Often Security requirements may come in conflict with another type of requirement. If there are conflicts, it is important that you identify those concerns and the requirements are clarified by a Business Analyst. In most organizations, security requirements are not well defined if it all. A general rule of thumb: Make sure your core information security concepts are all covered. If not, request that they are. Understand which security requirements are functional and which are non-functional, this will have an impact how you plan to test them. © Copyright 2011 Coveros, Inc.. All rights reserved. 34 17
  • 20. 9/5/2012 Integrating security requirements in test plans Testing Security Requirements Feature testing covers positive security requirements. This typically ensures the software behaves according to customer expectations. Example – If security requirements state that the length of any user input must be validated, then a feature test suite should be created to exercise the application inputs and verify that this requirement is implemented correctly. Testers should also cover negative security testing or RiskDriven testing. Each test is intended to probe for a specific risk or vulnerability. These risk may have been identified during your risk assessment. Example – Cross Site Scripting and SQL Injection; These vulnerabilities are not obviously features of the application, therefore the fall under the negative security requirements umbrella. © Copyright 2011 Coveros, Inc.. All rights reserved. 35 Security testing during implementation Overview Testing activities during implementation focus on assuring that the software is implemented properly according to its requirements and design Key activities during implementation include: – Secure code review – identifying security vulnerabilities in source code – Testing individual components/features for security – Testing requirements at the appropriate level © Copyright 2011 Coveros, Inc.. All rights reserved. 36 18
  • 21. 9/5/2012 Security testing during implementation Secure code review Secure code review identifies vulnerabilities within source code that potentially impact system security. Examples – Buffer overflows – Race conditions Secure code review is a combination of manual and automated analysis – Tool providers: HP Fortify, IBM Ounce, Coverity Secure code review is typically done by developers or a dedicated security team © Copyright 2011 Coveros, Inc.. All rights reserved. 37 Security testing during implementation Testing components and features The testing of components and individual features will identify code that improperly implements functionality against its requirements. While some feature testing has historically been done at the system level, more and more of this type of testing today is done on individual units / stories by either a developer or code savvy test engineer. Review of tests performed at this level should look for common gaps that lead to security issues: – Inadequate testing of error handling routines – Insufficient protection during system reboot – Forgetting to test administrative capabilities © Copyright 2011 Coveros, Inc.. All rights reserved. 38 19
  • 22. 9/5/2012 Security testing during implementation Testing common security controls Due to the security-critical nature of many of our applications, it is common to see the following security controls implemented within our software. Each must be validated in order to work! Authentication & Access Control Input Validation & Encoding Encryption User and Session Management Error and Exception Handling Auditing and Logging © Copyright 2011 Coveros, Inc.. All rights reserved. 39 Common Approaches to Authentication All About Authentication When we refer to authentication in computer security, we refer to the process of attempting to verify the digital identity of the sender of a communication. – A common example of such a process it the login process. – Authentication always depends upon using one or more authentication factors. Testing authentication schemas means understanding how the process works and using that information to circumvent the authentication mechanism. © Copyright 2011 Coveros, Inc.. All rights reserved. 40 20
  • 23. 9/5/2012 Common Approaches to Authentication Authentication Testing Schemas Credentials transport over an encrypted channel – The tester must try to understand if the data inputted by the user is transmitted using secure protocols that protect them from an attacker or not. Testing for user enumeration – The tester must verify if it is possible to collect a set of valid users by interacting with the authentication mechanism of the application. This will become useful for brute force testing. Testing for guessable (dictionary) user accounts – The tester must validate that there are no default user accounts or guessable username/password combinations Brute force testing – When dictionary attacks don’t succeed, the tester can attempt brute force methods to gain access. This is not often easy to accomplish because of time constraints. © Copyright 2011 Coveros, Inc.. All rights reserved. 41 Common Approaches to Authentication Authentication Testing Schemas (cont.) Testing for bypassing authentication schema – The tester must validate that other application resources are adequately protected, and can’t be used to bypass authentication using those other resources. Testing for vulnerable remember password and password reset features – The tester must analyze how the application manages the process of “password resets”. The tester must all check whether the application allows the user to store passwords in the browser. Testing for logout and browser cache management – The tester must check that the logout and caching functions are properly implemented. © Copyright 2011 Coveros, Inc.. All rights reserved. 42 21
  • 24. 9/5/2012 Common Approaches to Authentication Authentication Testing Schemas (cont.) Testing for CAPTCHA – Used by many applications to ensure the response is not generated by a computer, CAPTCHA (“Completely Automated Public Trust test to tell Computers and Humans Apart”) implementations are often vulnerable to various kinds of attacks. Testing multiple factor authentication – The tester must test the following scenarios: One Time Password Generator Tokens Crypto devices like USB tokens or smart cards X.509 Certificates Random OTP sent via SMS Testing for race conditions – The tester must ensure that an unexpected result on a multithread application doesn’t create an authentication flaw. By their nature, Race Conditions are difficult to test for © Copyright 2011 Coveros, Inc.. All rights reserved. 43 Common Approaches to Authentication Authentication Testing Schemas (cont.) Testing for session management schema – The tester must test the security of a session tokens issues to the client browser: How to reverse engineer a cookie How to manipulate cookies to hijack a session Testing for cookie attributes – The tester must check if an application can take the necessary precautions when assigning cookies and test the cookie attributes. Testing for session fixation – The tester must validate that an application renews the cookie after a successful user authentication, so that an attacker could not utilize a session fixation vulnerability. © Copyright 2011 Coveros, Inc.. All rights reserved. 44 22
  • 25. 9/5/2012 Common Approaches to Authentication Authentication Testing Schemas (cont.) Testing for exposed session variables – The tester must validate that it is not possible to create a replay session attack utilizing exposed session information. Testing for CSRF (Cross Site Request Forgery) – The tester must ensure that there is not a way to force an unknowing user to execute unwanted actions on a web application they are authenticated on. © Copyright 2011 Coveros, Inc.. All rights reserved. 45 Security testing during implementation Risk-based Testing Risk-based Testing focuses on testing that the risks identified during threat modeling and design reviews were properly mitigated in the code Define negative tests that validate these issues have been mitigated. Perform these tests at whatever level is appropriate to identify any remaining vulnerabilities. © Copyright 2011 Coveros, Inc.. All rights reserved. 46 23
  • 26. 9/5/2012 Security testing during implementation Integration and Systems Testing Testing non-functional security requirements that span features within the system Includes Web Application Security testing of any web-based interfaces Often includes Penetration Testing type activities to “test like a hacker” – – – – Fuzzing Password crackers Network port scanners Dynamic input strings © Copyright 2011 Coveros, Inc.. All rights reserved. 47 Security testing during deployment Overview Testing during the deployment process focuses on those tests that cannot be adequately completed within a development/QA environment plus any third party IV&V – Penetration testing – Load and performance testing (for availability) – Configuration testing Penetration testing is typically done by a team of security experts © Copyright 2011 Coveros, Inc.. All rights reserved. 48 24
  • 27. 9/5/2012 Security testing during maintenance / support Overview Testing during maintenance and support focuses on: – Assuring that any identified vulnerabilities within the application, supporting software, or network configuration are patched and revalidated © Copyright 2011 Coveros, Inc.. All rights reserved. 49 © Copyright 2011 Coveros, Inc.. All rights reserved. 50 Supporting tools 25
  • 28. 9/5/2012 Tools to Support Security Testing Secure Code Scanners Where to use? – Analyze source code for inherent vulnerabilities and/or compliance with secure coding standards Free Tools – – – – FxCop FindBugs RATS clang Paid Tools – HP Fortify – IBM Ounce – Coverity © Copyright 2011 Coveros, Inc.. All rights reserved. 51 Tools to Support Security Testing Web Application Scanners Where to use? – Looking for XSS, Injection and input validation vulnerabilities; some tools will attempt to actively exploit vulnerabilities. Free Tools – – – – – Nikto W3af Paros Skipfish wfuzz Paid Tools – Netsparker – WebSecurify © Copyright 2011 Coveros, Inc.. All rights reserved. 52 26
  • 29. 9/5/2012 Tools to Support Security Testing Password Crackers/Brute Force Tools Where to use? – When you want to break the default credentials or test your authentication mechanisms against common security tools. Free Tools – THC Hydra – Cain and Abel – Wfuzz Paid Tools – John the Ripper © Copyright 2011 Coveros, Inc.. All rights reserved. 53 Tools to Support Security Testing Network Security Tools Where to use? – Scanning for mis-configurations – Testing for OS, application and network vulnerabilities Free Tools – OpenVAS Paid Tools – Nessus – Core Impact © Copyright 2011 Coveros, Inc.. All rights reserved. 54 27