Scribd Logo
Upload

Welcome to Scribd!

  • Novataig 2011-1-12 Security Testing

    Uploaded by

    Vishnuvardhan Vishnu
    55 views12 pages
    Novataig 2011-1-12 Security Testing

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Novataig 2011-1-12 Security Testing

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    55 views12 pages

    Novataig 2011-1-12 Security Testing

    Uploaded by

    Vishnuvardhan Vishnu
    Novataig 2011-1-12 Security Testing

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 12

    Automated Security Testing

    A case study of Agile SDLC integration

    Software Confidence. Achieved.

    Frank Hurley Aravind Venkataraman Sagar Dongre

    www.cigital.com

    Dec10

    Outline

    QA testing vs. Security testing Cigital services Software Security program Security testing Security testing framework

    Copyright 2009 Cigital, Inc. Proprietary and Confidential.

    v1.2 Oct09

    QA testing vs. Security testing

    QA testing Checks that app does what its supposed to do Meets stated business requirements(!) Test cases derived from requirements Positive/negative test cases Test coverage (RTM) Ensure app doesnt break/crash/etc Many unstated requirements Exploratory testing Normal, expected use Corner cases, but within what a user might do
    v1.2 Oct09 3

    Copyright 2009 Cigital, Inc. Proprietary and Confidential.

    QA testing vs. Security testing

    Security testing Checks that app does not do what its not supposed to Requirement is implied not in business requirements. Malicious erroneous user input URL tampering Bypassing Javascript Ensure doesnt break/crash/etc Crash = potential exploit Misuse/Abuse cases Actions system should prevent
    v1.2 Oct09 4

    Copyright 2009 Cigital, Inc. Proprietary and Confidential.

    Software Assurance services

    Software Security Secure design Secure coding Security testing Continuous integration Software Quality Agile testing Test automation Continuous integration Test process improvement

    Dec10

    Software Assurance services at a client

    Security scanning platform Security code review Security testing Continuous integration Quality assurance Agile testing Test automation Continuous integration

    Dec10

    Building Security into SDLC

    Dec10

    Software Security program

    Copyright 2009 Cigital, Inc. Proprietary and Confidential.

    v1.2 Oct09

    Static analysis | Dynamic analysis

    Code review Bug patterns in code Coding defects Quality/Reliability defects Automation HP Fortify Think CheckStyle, PMD Ant, Maven integration

    Penetration testing Security test injection Configuration defects Exploit proof-of-concepts Automation IBM Appscan` Think QTP, WinRunner QualityCenter integration

    Dec10

    Static analysis | Dynamic analysis

    Copyright 2009 Cigital, Inc. Proprietary and Confidential.

    v1.2 Oct09

    10

    Security scanning framework

    Dec10

    11

    Thank you

    Software Confidence. Achieved.

    Dec10

    12

    You might also like