novataig 2011-1-12 security testing
TRANSCRIPT
-
8/13/2019 Novataig 2011-1-12 Security Testing
1/12
Software Confidence. Achieved.
Dec10 1
Automated Security Testing A case study of Agile SDLC integration
www.cigital.comFrank HurleyAravind VenkataramanSagar Dongre
-
8/13/2019 Novataig 2011-1-12 Security Testing
2/12
Outline
QA testing vs. Security testingCigital servicesSoftware Security programSecurity testing
Security testing framework
2v1.2 Oct09Copyright 2009 Cigital, Inc. Proprietary and Confidential.
-
8/13/2019 Novataig 2011-1-12 Security Testing
3/12
QA testing vs. Security testing
3v1.2 Oct09Copyright 2009 Cigital, Inc. Proprietary and Confidential.
QA testingChecks that app does what its supposed to do Meets stated business requirements(!)
Test cases derived from requirements
Positive/negative test casesTest coverage (RTM)
Ensure app doesnt break/crash/etc Many unstated requirementsExploratory testing
Normal, expected useCorner cases, but within what a user might do
-
8/13/2019 Novataig 2011-1-12 Security Testing
4/12
QA testing vs. Security testing
4v1.2 Oct09Copyright 2009 Cigital, Inc. Proprietary and Confidential.
Security testingChecks that app does not do what its not supposed toRequirement is implied not in businessrequirements.
Malicious erroneous user inputURL tamperingBypassing Javascript
Ensure doesnt break/crash/etc Crash = potential exploit
Misuse/Abuse cases Actions system should prevent
-
8/13/2019 Novataig 2011-1-12 Security Testing
5/12
5Dec10
Software Assurance services
Software SecuritySecure designSecure codingSecurity testing
Continuous integrationSoftware Quality
Agile testingTest automation
Continuous integrationTest process improvement
-
8/13/2019 Novataig 2011-1-12 Security Testing
6/12
Software Assurance services at a client
Security scanning platformSecurity code reviewSecurity testingContinuous integration
Quality assurance Agile testingTest automationContinuous integration
6Dec10
-
8/13/2019 Novataig 2011-1-12 Security Testing
7/12
7Dec10
Building Security into SDLC
-
8/13/2019 Novataig 2011-1-12 Security Testing
8/12
8v1.2 Oct09Copyright 2009 Cigital, Inc. Proprietary and Confidential.
Software Security program
-
8/13/2019 Novataig 2011-1-12 Security Testing
9/129Dec10
Static analysis | Dynamic analysis
Code reviewBug patterns in codeCoding defects
Quality/Reliability defects
AutomationHP Fortify Think CheckStyle, PMD Ant, Maven integration
Penetration testingSecurity test injectionConfiguration defects
Exploit proof-of-concepts
AutomationIBM Appscan Think QTP, WinRunner QualityCenter integration
-
8/13/2019 Novataig 2011-1-12 Security Testing
10/1210v1.2 Oct09Copyright 2009 Cigital, Inc. Proprietary and Confidential.
Static analysis | Dynamic analysis
-
8/13/2019 Novataig 2011-1-12 Security Testing
11/1211Dec10
Security scanning framework
-
8/13/2019 Novataig 2011-1-12 Security Testing
12/1212Dec10
Thank you
Software Confidence. Achieved.